http://www.secuobs.com Observatoire de la securite Internet fr webmaster@secuobs.com 2011-12-13 22:54:08 - AppSec Street Fighter SANS Institute : Stephen J, who is a member of our software security mailing list, asked a while back, Do you have any recommendations on static source code scanners James Jardine and I started talking and came up with the following tipsThere are so many commercial static analysis tools from vendors like Armorize, Checkmarx, Coverity, Fortify HP , Klocwork, IBM, and Veracode that it's hard to recommend a specific product Instead we'd like to focus on seven tips that can help you maximize your selection1 Test before you buyThis probably sounds obvious but, assuming you haven't purchased anything yet, definitely do a bake off and have the vendor run the code against your actual apps Do not simply run the tool on a vendor supplied sample app as the quality of the results, surprisingly, can vary quite a bit across different tools and code bases Just keep in mind that some vendors will try to avoid this so they can http://www.secuobs.com/revue/news/346960.shtmlhttp://www.secuobs.com/revue/news/346960.shtml Secuobs.com : 2011-12-05 21:32:36 - AppSec Street Fighter SANS Institute - This is a guest post from security researcher Nitesh Dhanjani which follows his previous iOS articlesAt the 2011 World Wide Developer Conference in San Francisco, Steve Jobs revealed his vision for Apple's iCloud to demote the desktop as the central media hub and to seamlessly integrate the user's experience across devicesApple's iCloud service comprises of two distinct features The first is to provide the user with the ability to backup and restore the device over the air without having to sync with an OSX or Windows computer This mechanism is completely controlled by Apple and also provides free email and photo syncing capabilities The second feature of iCloud allows 3rd party developers to leverage data storage capabilities within their own appsIn this article, I will provide my initial thoughts on iCloud from a security http://www.secuobs.com/revue/news/345447.shtmlhttp://www.secuobs.com/revue/news/345447.shtml Secuobs.com : 2011-11-03 22:26:39 - AppSec Street Fighter SANS Institute - There's lots of advice on designing and building secure software All you need to do is Think like an attacker Minimize the Attack Surface Apply the principles of Least Privilege and Defense in Depth and Economy of Mechanism Canonicalize and validate all input Encode and escape output within the correct context Use encryption properly Manage sessions in a secure wayBut how are development teams actually supposed to do all of this How do they know what's important, and what's not What frameworks and libraries should they use Where are code samples that they can review and follow How can they test the software to see if they did everything correctly There are only a few resources to help developers answer these questions Here are the best that I have found so farCheat SheetsFirst, there are the OWASP Prevention Cheat Sheets, which provide clear, practical advice http://www.secuobs.com/revue/news/338747.shtmlhttp://www.secuobs.com/revue/news/338747.shtml Secuobs.com : 2011-10-04 17:35:20 - AppSec Street Fighter SANS Institute - A serious problem in many organizations is that the relationship between security and development is marred by blame, mistrust, evasion and lack of understanding One result of this is that development teams and their business sponsors don't take ownership for understanding and managing software security risks, and often try to ignore vulnerabilities or hide themCatch-22Outside of high-assurance and some highly-regulated environments, security usually isn't an important requirement in building a system Developers and their business sponsors are more focused on getting the system to work, and getting people to use it They are driven by feature-set, time-to-market, usability, performance and cost If the system gets delivered and enough people use it, then the business may have to take security concerns seriously because the risk profile has changed the system and the business that is relying on it has now become a potentially valuable http://www.secuobs.com/revue/news/332613.shtmlhttp://www.secuobs.com/revue/news/332613.shtml Secuobs.com : 2011-09-15 23:38:19 - AppSec Street Fighter SANS Institute - How often do you just use an HTML comment to remove old code, or new functionality that isn't ready yet Are HTML comments effective for ASPNet server controls From a pure development context, they probably are When we factor in security, they no longer provide the functionality that was intended This post will explain an issue with how ASPNet handles this situation and why it is not sufficient from a security perspectiveI am going to use a very simplistic example to make it easier to understand and to save space Please do not let this simple example downplay the significance of this issue In this example, I have added two label controls and a button control I will walk through a few different scenarios to explain what is happening Here is what the relevant part of the html page looks like sourcecode language php HTML Comment Test http://www.secuobs.com/revue/news/329203.shtmlhttp://www.secuobs.com/revue/news/329203.shtml Secuobs.com : 2011-08-23 21:35:04 - AppSec Street Fighter SANS Institute - In this article, John Bielich and Khash Kiani introduce OAuth, and demonstrate one type of approach in which a malicious native client application can compromise sensitive end-user dataEarlier this year, Khash posted a paper entitled Four Attacks on OAuth How to Secure Your OAuth Implementation that introduced a common protocol flow, with specific examples and a few insecure implementations For more information about the protocol, various use cases and key concepts, please refer to the mentioned post and any other freely available OAuth resources on the webThis article assumes that the readers are familiar with the detailed principles behind OAuth, and that they know how to make GET and POST requests over HTTPS However, we will still http://www.secuobs.com/revue/news/324764.shtmlhttp://www.secuobs.com/revue/news/324764.shtml Secuobs.com : 2011-08-16 00:11:06 - AppSec Street Fighter SANS Institute - Failing to properly validate input data is behind at least half of all application security problemsIn order to properly validate input data, you have to start by first ensuring that all data is in the same standard, simple, consistent format a canonical form This is because of all the wonderful flexibility in internationalization and data formatting and encoding that modern platforms and especially the Web offer Wonderful capabilities that attackers can take advantage of to hide malicious code inside data in all sorts of sneaky waysCanonicalization is a conceptually simple idea take data inputs, and convert all of it into a single, simple, consistent normalized internal format before you do anything else with it But how exactly do you do this, and how do you know that it has been done properly What are the steps that programmers need to take to http://www.secuobs.com/revue/news/323224.shtmlhttp://www.secuobs.com/revue/news/323224.shtml Secuobs.com : 2011-08-08 20:59:13 - AppSec Street Fighter SANS Institute - Details Affected Software My Calendar Wordpress Plugin Fixed in Version 172 Issue Type SQL Injection Original Code Found Here Details This week's bug was a subtle mistake in the usage of an escaping routine It seems the developer understood the dangers of SQL injection and therefore used an escaping routine to sanitize user controlled input before using that input to build a SQL statement Unfortunately, the developer overlooked a crucial characteristic and used the wrong escaping routine Looking at the vulnerable line, we see the following sourcecode lang PHP sql SELECT FROM WP_CALENDAR_CATEGORIES_TABLE WHERE category_id mysql_escape_string GET 'category_id' sourcecode As you can clearly see, the developer chose to utilize the mysql_escape_string function to escape GET category_id before using category_id to build a SQL statement Looking at http://www.secuobs.com/revue/news/321780.shtmlhttp://www.secuobs.com/revue/news/321780.shtml Secuobs.com : 2011-08-02 20:44:17 - AppSec Street Fighter SANS Institute - DetailsAffected Software Corpse C CFixed in Version Issue Type XSSOriginal Code Found HereDetailsFairly straightforward XSS bug here This week's bug can be found in the indexphp file for the Corpse C C Specifically, the index file located at Corpse info socks indexphp Buried deep within the print statement starting on line 30 are two unsanitized, unescaped variables states and countrys Both states and countrys are taken directly from POST parameters and assigned to php variables Those php variables are then used to build HTML markup Buried within a large print statement, a little difficult to spot, but this bug is classic XSS sourcecode lang PHP highlight 6,7,37 phpinclude_once 'geoipcityinc' include_once ' mysqllogphp' countrys http://www.secuobs.com/revue/news/320633.shtmlhttp://www.secuobs.com/revue/news/320633.shtml Secuobs.com : 2011-08-02 20:44:17 - AppSec Street Fighter SANS Institute - The moment we begin to fear the opinions of others and hesitate to tell the truth that is in us, and from motives of policy are silent when we should speak, the divine floods of light and life no longer flow into our soulsElizabeth Cady StantonSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php php use_mysql 1 if use_mysql 1 require_once ' mysqllogphp' http://www.secuobs.com/revue/news/320632.shtmlhttp://www.secuobs.com/revue/news/320632.shtml Secuobs.com : 2011-08-02 20:44:17 - AppSec Street Fighter SANS Institute - DetailsAffected Software Corpse C CFixed in Version Issue Type SQL InjectionOriginal Code Found HereDetailsThis week's bug is in Corpse C C SpotTheVuln reader Christina hits it right on the head, line 32 contains a ridiculous amount of SQL injection Most of the parameters passed to the INSERT statement results in SQL injection id, info, and user are all set directly from GET or POST and are used in the SQL statement without any sanitization Despite its name, real_ip is also completely attacker controlled and can be used for SQL injection Getenv HTTP_X_FORWARDED_FOR doesn't sanitize the user controlled value in any way For some reason, many developers assume the X-Forwarded-For header will only specify an IP address or domain name X-Forwarded-For can contain any characters including angle brackets, http://www.secuobs.com/revue/news/320631.shtmlhttp://www.secuobs.com/revue/news/320631.shtml Secuobs.com : 2011-08-02 20:44:17 - AppSec Street Fighter SANS Institute - I like pushing boundariesLady GagaSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php snip php We do some checking to see what we're doing if isset POST 'mode' POST 'mode' 'add' Proceed with the save sql INSERT INTO WP_CALENDAR_CATEGORIES_TABLE http://www.secuobs.com/revue/news/320630.shtmlhttp://www.secuobs.com/revue/news/320630.shtml Secuobs.com : 2011-07-22 20:36:15 - AppSec Street Fighter SANS Institute - In this post, I am going to explain another technique that can be used to bypass the Validate Request filter in an html element context This technique uses a different character encoding to bypass the blacklist checks that are doneTo recap, ValidateRequest returns false when the following conditions are met sourcecode language php a-z - A character followed by an alpha character sourcecode sourcecode language php , , sourcecode sourcecode language php sourcecode As you can see, the main goal is to trigger an error when the less than character is passed followed by a specific set of characters Since it blocks the start character for an HTML element, it makes it difficult to just add new elements to the page So how do we get around this Using Unicode-Wide characters, we can pass in a character that looks like the character, but http://www.secuobs.com/revue/news/318799.shtmlhttp://www.secuobs.com/revue/news/318799.shtml Secuobs.com : 2011-07-18 08:41:12 - AppSec Street Fighter SANS Institute - The last thing I want is to walk into my house after a long day and see all the Grammys and awards It would make me feel weirdAlicia KeysSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php phpinclude_once 'geoipcityinc' include_once ' mysqllogphp' countrys POST 'countrys' states POST 'states' if countrys http://www.secuobs.com/revue/news/317509.shtmlhttp://www.secuobs.com/revue/news/317509.shtml Secuobs.com : 2011-07-15 08:33:29 - AppSec Street Fighter SANS Institute - DetailsAffected Software EOF-0x01Fixed in Version Issue Type XSS and XSRFOriginal Code Found HereDetailsThis week, we had a couple of bugs here affecting EOF-0x01 Command and Control A red herring is the use of echo POST 'pw' to build HTML markup Upon first glance, this seems like a straight forward XSS bug This issue is mitigated by the fact that POST 'pw' is only displayed if it is equal to botpw whose default value happens to be bla' So unless the botmaster has an XSS payload for their password, this one is going to be really difficult to exploit The other interesting part is the if statements that look at POST action' If the user has provided the correct POST pw' and also provides a POST action' of 2 or 3, DeleteCommandsFromQueue and EditCommandForBot will be executed respectively http://www.secuobs.com/revue/news/317148.shtmlhttp://www.secuobs.com/revue/news/317148.shtml Secuobs.com : 2011-07-12 21:25:02 - AppSec Street Fighter SANS Institute - In ASPNet 40, Microsoft added the ability to override the default encoder This is specifically focused on the HTMLEncode, HTMLAttributeEncode, and URLEncode functionality These functions are used, in the eyes of security, to help mitigate cross-site scripting XSS The problem with the built in Net routines is that they are built on a black-list methodology, rather than a white-list methodology The built in routines use a very small list of characters that get encoded For example, the Net version of HTMLEncode encodes the following characters , , The Microsoft Web Protection Library previously known as the Anti-XSS Library instead determines all characters that don't need encoding, a-z0-9 for example, and then encodes all the rest This is a much safer approach to encodingIn this post, I will show you how to use the Web Protection Library as the default encoder for an ASPNet 40 application The first step is to download http://www.secuobs.com/revue/news/316578.shtmlhttp://www.secuobs.com/revue/news/316578.shtml Secuobs.com : 2011-07-12 17:05:16 - AppSec Street Fighter SANS Institute - Writing is a struggle against silenceCarlos FuentesSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php php http://www.secuobs.com/revue/news/316494.shtmlhttp://www.secuobs.com/revue/news/316494.shtml Secuobs.com : 2011-07-08 16:14:33 - AppSec Street Fighter SANS Institute - DetailsAffected Software Zeus C CFixed in Version Issue Type XSS and XSRFOriginal Code Found HereDetailsThis week's bugs affected Zeus C C 1100 The file we're looking at is modbcmdsphp The first thing that popped out at me was the named constant QUERY_STRING that's being used in various places in code Although we don't get to see exactly where QUERY_STRING is being defined in the code snippet as a general rule of thumb, values from the query string cannot be trusted In this case, QUERY_STRING is defined in a different file inphp in the following line sourcecode lang PHP define 'QUERY_STRING', QUERY_STRING_BLANK module sourcecode QUERY_STRING_BLANK is defined in the following way also in inphp sourcecode lang PHP define 'QUERY_STRING_BLANK', http://www.secuobs.com/revue/news/315856.shtmlhttp://www.secuobs.com/revue/news/315856.shtml Secuobs.com : 2011-07-04 22:03:07 - AppSec Street Fighter SANS Institute - I am enough of an artist to draw freely upon my imagination Imagination is more important than knowledge Knowledge is limited Imagination encircles the worldAlbert EinsteinSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php php if defined '__INDEX__' die pedt PRIV http://www.secuobs.com/revue/news/315104.shtmlhttp://www.secuobs.com/revue/news/315104.shtml Secuobs.com : 2011-07-01 23:37:01 - AppSec Street Fighter SANS Institute - DetailsAffected Software Zunkerbot C CFixed in Version Not PatchedIssue Type SQL InjectionOriginal Code Found HereDetailsThis week's bug affects the taskphp for the Zunkerbot C C Looking at line 5, we see that magic quotes is set set_magic_quotes_runtime 1 Obviously, this was done by the malware author to prevent SQL injection attacks Assuming everything is working correctly, a rival malware author should be able to inject any quotes to break out of existing SQL statements Unfortunately for the Zunkerbot author, magicqoutes doesn't cover all cases Take for example lines 59 and 70 Here we see s_id and s_ip are enclosed in quotes These values should be protected against SQL injection s_id and s_ip aren't the only variables being used in this SQL statement however At the end of the two SQL http://www.secuobs.com/revue/news/314839.shtmlhttp://www.secuobs.com/revue/news/314839.shtml Secuobs.com : 2011-06-27 14:37:25 - AppSec Street Fighter SANS Institute - I was scared I was going to have some weird shape to my head and I was pleased that I didn'tEdward FurlongSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php phpinclude_once 'authphp' set_magic_quotes_runtime 1 if is_readable 'htmlphp' include_once 'htmlphp' else die 'Could not find HTML library' http://www.secuobs.com/revue/news/313761.shtmlhttp://www.secuobs.com/revue/news/313761.shtml Secuobs.com : 2011-06-25 10:02:13 - AppSec Street Fighter SANS Institute - DetailsAffected Software Adrenalin C CFixed in Version Not PatchedIssue Type Defense in DepthOriginal Code Found HereDetailsFirst, I'll talk about a couple of interesting things about this bug that cannot be seen from just the code sample When I received this sample, it was encoded with Zend Guard While the Zend Guard encoding was easily defeated, it is interesting to see that these malware authors are interested in protecting their intellectual property Once again, the malware industry doesn't get a magical free pass on all the things traditional development shops face Monetizing, feature requests, protecting IP, and even security problems are issues all dev shops faceAfter the code was decoded, it was quickly apparent that this file contained several routines for dealing with uploding files to the web C C I pulled out a routine that I http://www.secuobs.com/revue/news/313554.shtmlhttp://www.secuobs.com/revue/news/313554.shtml Secuobs.com : 2011-06-20 09:54:25 - AppSec Street Fighter SANS Institute - State Legislators are merely politicians whose darkest secret prevents them from running for a higher officeDennis MillerSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php phpsnipfunction srch set_time_limit 0 word REQUEST 'word' word2 word logfolder REQUEST 'infile' arch REQUEST 'xxx' if http://www.secuobs.com/revue/news/312268.shtmlhttp://www.secuobs.com/revue/news/312268.shtml Secuobs.com : 2011-06-17 23:55:13 - AppSec Street Fighter SANS Institute - DetailsAffected Software Corpse C CFixed in Version Not PatchedIssue Type SQL InjectionOriginal Code Found HereDetailsThis week's bugs are in the CORPSE C C in the bsrvphp file There are a couple of bugs here, most of them are very straight forward Funny stuff first if ver is blank, we will fail the security check So, in order to reach any of these vulns, we have to provide an arbitrary value for ver ver is set from GET ver' , so we have to provide a bsrvphp ver pwnd for each request in order to reach the vulnerable code It's rigorous security checks like this that make exploitation difficult id and param are validated through a manual process code on line 27 36 I don't know why the developer didn't take advantage of built-in escaping routines but the validation provided here http://www.secuobs.com/revue/news/312068.shtmlhttp://www.secuobs.com/revue/news/312068.shtml Secuobs.com : 2011-06-13 06:16:09 - AppSec Street Fighter SANS Institute - It is not only fine feathers that make fine birdsAesopSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php php Gettin all information id GET 'id' httpport GET 'httpport' socksport GET 'socksport' uptimem GET 'uptimem' uptimeh GET 'uptimeh' param GET 'param' ver http://www.secuobs.com/revue/news/310742.shtmlhttp://www.secuobs.com/revue/news/310742.shtml Secuobs.com : 2011-06-11 02:00:00 - AppSec Street Fighter SANS Institute - DetailsAffected Software BlackEnergy C CFixed in Version Not PatchedIssue Type Authentication Bypass and SQL InjectionOriginal Code Found HereDetailsA couple of interesting bugs here As Abe astutely pointed out, pretty much all of the PHP at the end of the code sample is vulnerable to SQL injection Veteran Spot the Vuln readers can easily spot the tainted POST and GET parameters being passed directly into dynamically built SQL statements This obviously results in compromise of the backend database and the application I've highlighted the SQL injection points in the code sample below The injection points are fairly obviousNow, onto the more interesting bug In order to reach the code paths that are vulnerable to SQL injection, we must first login to the application The login routine is contained in lines http://www.secuobs.com/revue/news/310566.shtmlhttp://www.secuobs.com/revue/news/310566.shtml Secuobs.com : 2011-06-07 08:55:58 - AppSec Street Fighter SANS Institute - Silly rabbit,why you sweatin me TuPac ShakurSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php include commonphp luser POST 'user' lpass POST 'pass' login POST 'login' logined false if login Sleep 1 if luser user lpass pass setcookie logined , pass header location indexphp http://www.secuobs.com/revue/news/309558.shtmlhttp://www.secuobs.com/revue/news/309558.shtml Secuobs.com : 2011-06-06 20:02:43 - AppSec Street Fighter SANS Institute - We have to make it easier for developers to build secure apps, especially Web apps We can't keep forcing everybody who builds an application to understand and plug all of the stupid holes in how the Web works on their own and to do this perfectly right every time It's not just wasteful it's not possibleWhat we need is implementation-level security issues taken care of at the language and framework level So that developers can focus on their real jobs solving design problems and writing code that worksSecurity Frameworks and Libraries One option is to get developers to use secure libraries that take care of application security functions like authentication, authorization, data validation and encryption There are some good, and free, tools out there to help youIf you're a Microsoft NET developer, there's Microsoft's Web Protection Library which provides functions and a runtime engine http://www.secuobs.com/revue/news/309427.shtmlhttp://www.secuobs.com/revue/news/309427.shtml Secuobs.com : 2011-06-04 12:09:06 - AppSec Street Fighter SANS Institute - DetailsAffected Software Ninja AnnouncementsFixed in Version 13Issue Type SQL InjectionOriginal Code Found HereDetailsLots of potential issues here, but we'll focus on what was patched Here we have a basic SQL injection vulnerability The bug is the most simple example of tracing a variable from assignment to usage On line 54, the ninja_annc_id is assigned a value directly from the user attacker controlled REQUEST ninja_annc_id' The very next line, the developer uses the tainted ninja_annc_id to string build a SQL statementThe developers addressed this issue by moving the dynamic SQL statement to a prepared SQL statement Prepared statements are the preferred method for dealing with SQL requests that could potentially contain tainted valuesDevelopers Solution sourcecode language php http://www.secuobs.com/revue/news/309145.shtmlhttp://www.secuobs.com/revue/news/309145.shtml Secuobs.com : 2011-05-31 04:37:06 - AppSec Street Fighter SANS Institute - Sullivan's Law When given the choice between two alternatives, always pick the third Patrick H SullivanSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applicationsinsert ninja_annc_table_name, array 'begindate' ninja_annc_begindate, 'enddate' ninja_annc_enddate, 'message' ninja_annc_message, 'active' '0', 'location' ninja_annc_location else wpdb-update ninja_annc_table_name, array 'begindate' http://www.secuobs.com/revue/news/308053.shtmlhttp://www.secuobs.com/revue/news/308053.shtml Secuobs.com : 2011-05-27 12:43:05 - AppSec Street Fighter SANS Institute - DetailsAffected Software PixelPostFixed in Version Issue Type Insecure password reset functionalityOriginal Code Found HereDetailsThis week's bug is more of a design issue as opposed to an implementation issue I actually first heard about this code from SkullSecurity's excellent articles on Hacking Crappy Password Resets articles published in late March SkullSecurity does an excellent job of explaining that line 31 the line that does the actual password generation is full of bad security design First, the password reset code is using the MD5 function in PHP MD5 takes a string and returns a MD5 hash of that string In this password reset code, we see that we are hashing the value of 'time' rand 1, 16000 SkullSecurity http://www.secuobs.com/revue/news/307541.shtmlhttp://www.secuobs.com/revue/news/307541.shtml Secuobs.com : 2011-05-23 19:52:31 - AppSec Street Fighter SANS Institute - Take time to deliberate but when the time for action arrives, stop thinking and go inNapoleon BonaparteSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php phpsnip forgot password if isset GET 'x' GET 'x' 'passreminder' echo ' admin_lang_pw_title http://www.secuobs.com/revue/news/306616.shtmlhttp://www.secuobs.com/revue/news/306616.shtml Secuobs.com : 2011-05-20 19:01:19 - AppSec Street Fighter SANS Institute - Details Affected Software Wordpress Core Fixed in Version 28 Issue Type Cross Site Scripting Original Code Found Here Details This week's bug was subtle The patch submitted by the developer addresses an XSS bug Looking at the diff, we see that title and selection come from the query string These values are fixed up before being assigned to a variable The developers changed the way title is assigned in the diff It's difficult to see why title needs to be changed, so we'll ignore that change for now selection gives some hints towards XSS selection is assigned from the query string value GET s' which is sent through the trim and aposfix functions Immediately following the selection variable assignment we see the selection being manipulated with some HTML tags This is a good indication that selection will eventually be used to build http://www.secuobs.com/revue/news/306183.shtmlhttp://www.secuobs.com/revue/news/306183.shtml Secuobs.com : 2011-05-16 20:43:37 - AppSec Street Fighter SANS Institute - Life shrinks or expands in proportion to one's courage Anais Nin Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php image see if files exist in content - we don't want to upload non-used selected files if strpos REQUEST 'content' , image false desc isset REQUEST 'photo_description' key REQUEST 'photo_description' key '' upload media_sideload_image image, post_ID, desc Replace http://www.secuobs.com/revue/news/305143.shtmlhttp://www.secuobs.com/revue/news/305143.shtml Secuobs.com : 2011-05-13 23:50:58 - AppSec Street Fighter SANS Institute - Details Affected Software Sermon Browser Wordpress Plugin Fixed in Version 44 Issue Type Cross Site Scripting Original Code Found Here Details There are a couple of different issues here, but let's focus on what the developers patched On line 27, the developer uses the GET getid3' value to build a dynamic SQL statement This is classic SQL injection The patch seems straight forward, escape the GET getid3' value before using it in the SQL statement Normally, SQL injection involves breaking out of a predefined SQL statement by closing off a quoted string and injecting your own SQL statement Most escaping functions escape quotes and other special characters so that an attacker cannot escape out of a quoted string There is a problem in this patch though The tainted value is NOT enclosed within quotes, so the attacker does not need to escape out of a http://www.secuobs.com/revue/news/304753.shtmlhttp://www.secuobs.com/revue/news/304753.shtml Secuobs.com : 2011-05-09 15:46:18 - AppSec Street Fighter SANS Institute - The best way to waste your life, is by taking notes The easiest way to avoid living is to just watch Look for the details Report Don't participateChuck PalahniukSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php http://www.secuobs.com/revue/news/303506.shtmlhttp://www.secuobs.com/revue/news/303506.shtml Secuobs.com : 2011-05-07 14:51:26 - AppSec Street Fighter SANS Institute - Much of cumulative application security knowledge and tools are aimed at detection, rather than prevention, of vulnerabilities This is a natural consequence of the fact that the primary job of many information security analysts is to look for security vulnerabilities and provide high level remediation suggestions rather than be involved in detailed remediation efforts Another reason is that most organizations want to get a grip on what security exposures they currently have before focusing their efforts on preventing future exposuresThe consequence for application owners is that many of the tools that we have at our disposal are focused on vulnerability detection Static analysis tools Runtime vulnerability scanning tools Verification standards such as the ASVSLuckily, application security experts have long http://www.secuobs.com/revue/news/303248.shtmlhttp://www.secuobs.com/revue/news/303248.shtml Secuobs.com : 2011-05-07 14:51:26 - AppSec Street Fighter SANS Institute - DetailsAffected Software Ask Apache Password ProtectFixed in Version 46Issue Type Cross Site ScriptingOriginal Code Found HereDetailsPretty straightforward XSS here On line 150we see that the author calls print_r on SERVER SERVER is full of tainted variables and print_r will print all of tainted values resulting in XSS The developers addressed this vulnerability by simply removing the print_r code entirely Spot the Vuln reader Abraham Kang spotted a different vulnerbility It's possible to use print_r to DOS the server Since the attacker controls several of the SERVER array, an attacker could create a bunch of nested arrays would have to get unwound consuming lots of server memory in some cases cause a server crash This details of this attack are described here http://www.secuobs.com/revue/news/303247.shtmlhttp://www.secuobs.com/revue/news/303247.shtml Secuobs.com : 2011-05-07 14:51:26 - AppSec Street Fighter SANS Institute - There are practical applications of checklists in many different fields Aviation, project engineering, now even surgery But what about software Sure, checklists are sometimes used in code reviews, to good effect But can we do more, can we get the same thing out of checklists that pilots do, or that surgeons do http://www.secuobs.com/revue/news/303246.shtmlhttp://www.secuobs.com/revue/news/303246.shtml Secuobs.com : 2011-05-07 14:51:26 - AppSec Street Fighter SANS Institute - 100 per cent of us die, and the percentage cannot be increasedCS LewisSpot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, a solution is posted so you can check your answers Each exercise is designed to last between 5 and 10 minutes Do it while you drink your morning coffee and you will be on your way to writing more secure applications sourcecode language php http://www.secuobs.com/revue/news/303245.shtmlhttp://www.secuobs.com/revue/news/303245.shtml Secuobs.com : 2011-05-07 14:51:26 - AppSec Street Fighter SANS Institute - DetailsAffected Software Sermon Browser Wordpress PluginFixed in Version 44Issue Type Cross Site ScriptingOriginal Code Found HereDetailsThere is a lot going on here in this code snippet First, let's talk about the patch The patch adds a check to ensure the user requesting has the rights to edit a post The added functionality only displays a link A HREF if the user has the correct permissions Let's hope there are additional checks in place to prevent the execution of this functionality, as opposed to just trying to obscure the linkSecond, there are a few SQL queries The SQL queries actually seem to be well handled most values are cast to int, which should work Of course, Neal Poole and Jacob astutely point out that casts to int cannot always be trusted http://www.secuobs.com/revue/news/303244.shtmlhttp://www.secuobs.com/revue/news/303244.shtml Secuobs.com : 2011-02-25 14:02:01 - AppSec Street Fighter SANS Institute - Details Affected Software FreePBX Fixed in Version 29 Issue Type Cross Site Scripting XSS Original Code Found Here Description To be honest, I was a little confused by this week s patch There are several XSS bugs in this code Originally, the vulnerable code would take a tainted REQUEST value a value from a GET, POST, http://www.secuobs.com/revue/news/287679.shtmlhttp://www.secuobs.com/revue/news/287679.shtml Secuobs.com : 2011-02-21 15:57:17 - AppSec Street Fighter SANS Institute - Man is a reasoning rather than a reasonable animal Alexander Hamilton Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is http://www.secuobs.com/revue/news/286615.shtmlhttp://www.secuobs.com/revue/news/286615.shtml Secuobs.com : 2011-02-18 16:16:31 - AppSec Street Fighter SANS Institute - Details Affected Software BezahlCode-Generator Fixed in Version 11 Issue Type Cross Site Scripting XSS Original Code Found Here Description A couple straightforward XSS bugs REQUEST will create an associative array which contains the contents of GET, POST, and COOKIE which are all user attacker controllable These variables are then used to create HTML markup Security bugs http://www.secuobs.com/revue/news/286230.shtmlhttp://www.secuobs.com/revue/news/286230.shtml Secuobs.com : 2011-02-16 08:34:57 - AppSec Street Fighter SANS Institute - Cross posted from SANS ISC Not sure if you have seen our latest pet project HTTP Headers This is ISC s effort to track HTTP response headers by major sites on the Internet Our main goal at this point is to monitor the use of security related headers However, we are collecting all headers in http://www.secuobs.com/revue/news/285588.shtmlhttp://www.secuobs.com/revue/news/285588.shtml Secuobs.com : 2011-02-14 16:47:34 - AppSec Street Fighter SANS Institute - When you are right, you cannot be too radical When you are wrong, you cannot be too conservative Martin Luther King, Jr Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the http://www.secuobs.com/revue/news/285103.shtmlhttp://www.secuobs.com/revue/news/285103.shtml Secuobs.com : 2011-02-11 15:22:35 - AppSec Street Fighter SANS Institute - Details Affected Software FreeNAS Fixed in Version 0693 Issue Type Cross Site Scripting XSS Original Code Found Here Description The code sample for this week contained a couple XSS vulnerabilities Although not essential for exploitation, its also interesting to note that this response is within an SVG image You can see this by examining the http://www.secuobs.com/revue/news/284615.shtmlhttp://www.secuobs.com/revue/news/284615.shtml Secuobs.com : 2011-02-10 23:53:39 - AppSec Street Fighter SANS Institute - By Krishna Raja and Rohit Sethi rksethi Senior developers and architects often make decisions related to application performance or other areas that have significant ramifications on the security of the application for years to come Some decisions are obvious How do we authenticate users How do we restrict page access to authorized users Others, however, http://www.secuobs.com/revue/news/284482.shtmlhttp://www.secuobs.com/revue/news/284482.shtml Secuobs.com : 2011-02-07 21:43:19 - AppSec Street Fighter SANS Institute - This is a guest post from security researcher Nitesh Dhanjani Nitesh will be giving a talk on Hacking and Securing Next Generation iPhone and iPad Apps at SANS AppSec 2011 Millions of iOS users and developers have come to rely on Apple s Push Notification Service APN In this article, I will briefly introduce details of http://www.secuobs.com/revue/news/283503.shtmlhttp://www.secuobs.com/revue/news/283503.shtml Secuobs.com : 2011-02-07 14:14:39 - AppSec Street Fighter SANS Institute - To send light into the darkness of men s hearts such is the duty of the artist Schumann Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try http://www.secuobs.com/revue/news/283379.shtmlhttp://www.secuobs.com/revue/news/283379.shtml Secuobs.com : 2011-02-04 15:07:00 - AppSec Street Fighter SANS Institute - Details Affected Software Surfnet IDS Fixed in Version 10307 Issue Type SQL Injection Original Code Found Here Description There were a couple of SQL injection bugs here Beginning at line 35, we see that the Surfnet IDS developers have accepted three POST parameters and have assigned tainted values to three different variables keyname, vlanid, action http://www.secuobs.com/revue/news/282985.shtmlhttp://www.secuobs.com/revue/news/282985.shtml Secuobs.com : 2011-01-31 14:00:02 - AppSec Street Fighter SANS Institute - Money won t buy happiness, but it will pay the salaries of a large research staff to study the problem Bill Vaughan Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable http://www.secuobs.com/revue/news/281838.shtmlhttp://www.secuobs.com/revue/news/281838.shtml Secuobs.com : 2011-01-28 13:07:11 - AppSec Street Fighter SANS Institute - Details Affected Software WordPress Core Fixed in Version 22 Issue Type SQL Injection Original Code Found Here Description This is a fairly straight forward SQL Injection bug here First, although we can t see exactly where args is set, we have some strong clues that it contains user attacker controlled data For example, the first function on http://www.secuobs.com/revue/news/281380.shtmlhttp://www.secuobs.com/revue/news/281380.shtml Secuobs.com : 2011-01-24 15:16:49 - AppSec Street Fighter SANS Institute - Remember, a chip on the shoulder is a sure sign of wood higher up Brigham Young Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify http://www.secuobs.com/revue/news/280295.shtmlhttp://www.secuobs.com/revue/news/280295.shtml Secuobs.com : 2011-01-21 13:59:57 - AppSec Street Fighter SANS Institute - Details Affected Software Short URL Plugin Fixed in Version Changeset 55280 Issue Type SQL Injection Original Code Found Here Description This weeks vulnerabilities were a couple of SQL injection bugs in the Short URL Plugin for WordPress The symptoms for the issues indicate classic SQL injection, let s have a quick look at the code First, http://www.secuobs.com/revue/news/279869.shtmlhttp://www.secuobs.com/revue/news/279869.shtml Secuobs.com : 2011-01-17 12:15:24 - AppSec Street Fighter SANS Institute - People need trouble a little frustration to sharpen the spirit on, toughen it Artists do I don t mean you need to live in a rat hole or gutter, but you have to learn fortitude, endurance Only vegetables are happy William Faulkner Spot the Vuln uses code snippets from open source applications to demonstrate http://www.secuobs.com/revue/news/278663.shtmlhttp://www.secuobs.com/revue/news/278663.shtml Secuobs.com : 2011-01-14 18:57:51 - AppSec Street Fighter SANS Institute - Backgrounding and Snapshots In iOS when an application moves to the background the system takes a screen shot of the application s main window This screen shot is used to animate transitions when the app is reopened For example, pressing the home button while using the logon screen of the Chase App results in the following http://www.secuobs.com/revue/news/278304.shtmlhttp://www.secuobs.com/revue/news/278304.shtml Secuobs.com : 2011-01-14 12:30:16 - AppSec Street Fighter SANS Institute - Details Affected Software PunBB Fixed in Version 132 Issue Type SMTP Command Injection Original Code Found Here Description Interesting bug here In 2008, Stefan Esser reported a bug to the PunBB team which described a SMTP command injection vulnerability If we look at the code below, we see that PunBB opens a socket connection to http://www.secuobs.com/revue/news/278219.shtmlhttp://www.secuobs.com/revue/news/278219.shtml Secuobs.com : 2011-01-10 13:56:00 - AppSec Street Fighter SANS Institute - It is a common experience that a problem difficult at night is resolved in the morning after a committee of sleep has worked on it John Steinbeck Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted http://www.secuobs.com/revue/news/277086.shtmlhttp://www.secuobs.com/revue/news/277086.shtml Secuobs.com : 2011-01-07 19:59:56 - AppSec Street Fighter SANS Institute - This is a guest post from security researcher Nitesh Dhanjani Nitesh will be giving a talk on Hacking and Securing Next Generation iPhone and iPad Apps at SANS AppSec 2011 Many iOS applications use HTTP to connect to server side resources To protect user-data from being eavesdropped, iOS applications often use SSL to encrypt their http://www.secuobs.com/revue/news/276634.shtmlhttp://www.secuobs.com/revue/news/276634.shtml Secuobs.com : 2011-01-07 11:31:35 - AppSec Street Fighter SANS Institute - Details Affected Software PunBB Fixed in Version 13 Issue Type Cross Site Scripting XSS Original Code Found Here Description Passwords, passwords, passwords For some reason, developers sometimes assume passwords values are safe and do not need encoding In this example, the developers chose to encode username values line 87 however, they assumed password values would http://www.secuobs.com/revue/news/276487.shtmlhttp://www.secuobs.com/revue/news/276487.shtml Secuobs.com : 2011-01-05 17:21:07 - AppSec Street Fighter SANS Institute - The WordPress iOS App I was looking for an open source iOS application and quickly came across the WordPress app Once you log in to your WordPress blog via the app your credentials are then stored on the device itself If done correctly this is not necessarily a bad thing However, the WordPress app s implementation http://www.secuobs.com/revue/news/276021.shtmlhttp://www.secuobs.com/revue/news/276021.shtml Secuobs.com : 2011-01-03 15:57:45 - AppSec Street Fighter SANS Institute - I have always been afraid of banks Andrew Jackson Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is Every Friday, http://www.secuobs.com/revue/news/275452.shtmlhttp://www.secuobs.com/revue/news/275452.shtml Secuobs.com : 2010-12-31 12:14:46 - AppSec Street Fighter SANS Institute - Details Affected Software PunBB Fixed in Version 13 Issue Type SQL Injection SQLi Original Code Found Here Description This week s bug was an old SQL injection bug that affected PunBB versions 13 In short, a value is taken from an attacker user controlled POST request and is used to build a SQL statement This bug http://www.secuobs.com/revue/news/275062.shtmlhttp://www.secuobs.com/revue/news/275062.shtml Secuobs.com : 2010-12-27 18:50:16 - AppSec Street Fighter SANS Institute - I survived because I was tougher than anybody else Bette Davis Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability is http://www.secuobs.com/revue/news/274366.shtmlhttp://www.secuobs.com/revue/news/274366.shtml Secuobs.com : 2010-12-24 21:03:33 - AppSec Street Fighter SANS Institute - Details Affected Software PunBB Fixed in Version 21 Issue Type Cross Site Scripting XSS Original Code Found Here Description This week s vulnerability was a XSS bug in PunBB PunBB was taking an un-trusted value directly from the POST parameter POST prune_sticky and echoing the un-trusted value directly into a value attribute for a hidden form input http://www.secuobs.com/revue/news/274128.shtmlhttp://www.secuobs.com/revue/news/274128.shtml Secuobs.com : 2010-12-20 10:13:03 - AppSec Street Fighter SANS Institute - Courage is the price that life exacts for granting peace Amelia Earhart Spot the Vuln uses code snippets from open source applications to demonstrate vulnerabilities in real world web applications Every Monday morning a vulnerable code snippet is posted Take a look at the vulnerable code and try to identify where the security vulnerability http://www.secuobs.com/revue/news/273034.shtmlhttp://www.secuobs.com/revue/news/273034.shtml Secuobs.com : 2010-11-29 19:54:40 - AppSec Street Fighter SANS Institute - This is the second in a series of guest posts from security researcher Nitesh Dhanjani His first post was on Insecure Handling of URL Schemes in Appleʼs iOS Nitesh will be giving a talk on Hacking and Securing Next Generation iPhone and iPad Apps at SANS AppSec 2011 Popular web browsers today do not allow http://www.secuobs.com/revue/news/268020.shtmlhttp://www.secuobs.com/revue/news/268020.shtml Secuobs.com : 2010-11-19 08:55:49 - AppSec Street Fighter SANS Institute - Cross posted from SANS ISC Penetration tests and vulnerability assessments are becoming more common across the whole industry as organizations found that it is necessary to prove a certain level of security for infrastructure application The need to exchange test result information is also increasing substantially External parties ranging from business partners, clients to regulators may http://www.secuobs.com/revue/news/266015.shtmlhttp://www.secuobs.com/revue/news/266015.shtml Secuobs.com : 2010-11-08 21:13:23 - AppSec Street Fighter SANS Institute - This is a guest post from security researcher Nitesh Dhanjani In this article, I will discuss the security concerns I have regarding how URL Schemes are registered and invoked in iOS URL Schemes, as Apple refers to them, are URL Protocol Handlers that can be invoked by the Safari browser They can also be used http://www.secuobs.com/revue/news/263304.shtmlhttp://www.secuobs.com/revue/news/263304.shtml Secuobs.com : 2010-10-25 18:07:11 - AppSec Street Fighter SANS Institute - The Web Hacking Incident Database, or WHID for short, is a Web Application Security Consortium project dedicated to maintaining a list of web applications related security incidents WHID s goal is to serve as a tool for raising awareness of the web application security problem and provide information for statistical analysis of web applications security incidents The http://www.secuobs.com/revue/news/259703.shtmlhttp://www.secuobs.com/revue/news/259703.shtml Secuobs.com : 2010-10-22 17:51:44 - AppSec Street Fighter SANS Institute - RISK The Consensus Security Vulnerability Alert October 21st, 2010 Vol 9 Week 43 Web Application Cross Site Scripting 104342 TWiki Multiple Cross-Site Scripting Vulnerabilities 104343 Attachmate Reflection for the Web Cross-Site Scripting 104344 http://www.secuobs.com/revue/news/259245.shtmlhttp://www.secuobs.com/revue/news/259245.shtml Secuobs.com : 2010-10-12 00:42:34 - AppSec Street Fighter SANS Institute - A very serious vulnerability in ASPNET was revealed this past month that allows attackers to completely compromise ASPNET Forms Authentication, among other things When things like this happen, as developers it s important to see what lessons can be learned in order to improve the defensibility of our software Source Padding Oracle Crypto Attack Affects Millions of http://www.secuobs.com/revue/news/255992.shtmlhttp://www.secuobs.com/revue/news/255992.shtml Secuobs.com : 2010-10-07 00:02:39 - AppSec Street Fighter SANS Institute - In addition to being a SANS Certified Instructor, I also serve as the WASC Web Hacking Incident Database WHID project leaders If you are unfamiliar, WHID is a project dedicated to maintaining a record of web application-related security incidents WHID s purpose is to serve as a tool for raising awareness of web application security problems http://www.secuobs.com/revue/news/254892.shtmlhttp://www.secuobs.com/revue/news/254892.shtml Secuobs.com : 2010-09-16 23:57:09 - AppSec Street Fighter SANS Institute - A few weeks ago I finished a big update to Secure Coding in Java JEE DEV541 which has a new day dedicated to hacking, reviewing, and fixing the code of a real-world open source web application written in Java It s an introduction to security in the SDLC and is similar to the Capture and Defend the http://www.secuobs.com/revue/news/245955.shtmlhttp://www.secuobs.com/revue/news/245955.shtml Secuobs.com : 2010-09-16 23:57:09 - AppSec Street Fighter SANS Institute - There are a lot of articles about configuring authentication and authorization in Java webxml files Instead of rehashing how to configure roles, protect web resources, and set up different types of authentication let s look at some of the most common security misconfigurations in Java webxml files 1 Custom Error Pages Not Configured By default Java http://www.secuobs.com/revue/news/245954.shtmlhttp://www.secuobs.com/revue/news/245954.shtml Secuobs.com : 2010-09-16 23:57:09 - AppSec Street Fighter SANS Institute - Passwords don't work Any password has a finite chance of being guessed A good password is just less likely to be guessed then a simple password But a strong password is not necessarily the one with many weird characters but the one that is least likely guessed http://www.secuobs.com/revue/news/245953.shtmlhttp://www.secuobs.com/revue/news/245953.shtml Secuobs.com : 2010-07-26 07:48:55 - AppSec Street Fighter SANS Institute - Here are some recent appsec webcasts for your viewing pleasure - Web Application Threats Combining XSS and CSRF to own the world Kevin Johnson covers Cross-Site Scripting XSS and Cross-Site Request Forgery CSRF Specifically, how they can be used to exploit users and applications, how to find them and what their combined power can accomplish http://www.secuobs.com/revue/news/243774.shtmlhttp://www.secuobs.com/revue/news/243774.shtml Secuobs.com : 2010-07-23 03:05:55 - AppSec Street Fighter SANS Institute - Wired reports that a new piece of malware is using a hard-coded password in Siemens Simantic WinCC SCADA system to access the underlying MS SQL Server database which contains information used to manage critical utilities and manufacturing facilities The article quotes Joe Weiss as saying Well over 50 percent of the control system suppliers have http://www.secuobs.com/revue/news/243067.shtmlhttp://www.secuobs.com/revue/news/243067.shtml Secuobs.com : 2010-04-21 19:59:08 - AppSec Street Fighter SANS Institute - We have three cool webcasts lined up next week 1 SQL Injection for the Penetration Tester on April 27 Eric Conrad will kick off the week of webcasts with something every penetration tester should know about Both normal and blind SQL attacks will be described, including reading and altering databases, creating local files, and gaining command http://www.secuobs.com/revue/news/214610.shtmlhttp://www.secuobs.com/revue/news/214610.shtml Secuobs.com : 2010-04-15 20:42:05 - AppSec Street Fighter SANS Institute - Felipe Moreno will be giving a webcast on Groundspeed, a Firefox add-on that allows penetration testers to manipulate the interface of web applications in order to adapt it to penetration test needs, removing the annoying client-side limitations and making the test more efficient Not much has changed since the beginning of the web application penetration http://www.secuobs.com/revue/news/212606.shtmlhttp://www.secuobs.com/revue/news/212606.shtml Secuobs.com : 2010-04-06 18:26:53 - AppSec Street Fighter SANS Institute - As requested here are the links to all the posts on the Top 25 Most Dangerous Programming Errors Please let us know if you have any suggestions or comments 1 Cross-Site Scripting XSS 2 SQL Injection 3 Classic Buffer Overflow 4 Cross-Site Request Forgery CSRF 5 Improper Access Control Authorization 6 Reliance on Untrusted http://www.secuobs.com/revue/news/209330.shtmlhttp://www.secuobs.com/revue/news/209330.shtml Secuobs.com : 2010-04-06 00:06:56 - AppSec Street Fighter SANS Institute - Checking the integrity of code you download is important and has to be done not just for the initial download, but for updates as well We will discuss the options to implement integrity checks correctly http://www.secuobs.com/revue/news/209069.shtmlhttp://www.secuobs.com/revue/news/209069.shtml Secuobs.com : 2010-03-26 14:50:06 - AppSec Street Fighter SANS Institute - Flying a lot, it happens once in a while that I arrive at the airport early enough to be offered to check in on an earlier flight Usually the check-in Kiosk offers the option and lists the flight Last year, I tried to took advantage of this offer, only to be told that the fligt http://www.secuobs.com/revue/news/205790.shtmlhttp://www.secuobs.com/revue/news/205790.shtml Secuobs.com : 2010-03-25 15:27:31 - AppSec Street Fighter SANS Institute - There are a few rules every developer should follow when applying encryption - don t invent your own algorithm Cryptography is a difficult topic, best left to the experts Implementing encryption algorithms is difficult and there are many traps waiting Many times, you can get away with a broken custom algorithm, but only because nobody challenges the implementation http://www.secuobs.com/revue/news/205374.shtmlhttp://www.secuobs.com/revue/news/205374.shtml Secuobs.com : 2010-03-25 07:53:59 - AppSec Street Fighter SANS Institute - Open redirect CWE-601 allows phishing attack to be more effective Redirection is commonly used within all web applications for various purposes From the login page, it is a common practice to redirect the user to another page once the user logs in Sometimes the user goes directly to a content page and is redirected to http://www.secuobs.com/revue/news/205271.shtmlhttp://www.secuobs.com/revue/news/205271.shtml Secuobs.com : 2010-03-24 08:23:11 - AppSec Street Fighter SANS Institute - Incorrect Permission Assignment for Critical Response CWE-732 is a complicated name for a problem that is easy to understand If you don t go out of the way to do a few steps to secure your resources, they are probably not secured by default Often enough in development, the responsibility to secure resources and components of http://www.secuobs.com/revue/news/204792.shtmlhttp://www.secuobs.com/revue/news/204792.shtml Secuobs.com : 2010-03-23 18:28:50 - AppSec Street Fighter SANS Institute - A number of years ago I was conducting a black box test of a fairly large web application As part of this testing I used an automated script to send malicious inputs to a number of forms on the site in question I sent a lot of requests Turned out that, under http://www.secuobs.com/revue/news/204543.shtmlhttp://www.secuobs.com/revue/news/204543.shtml Secuobs.com : 2010-03-23 18:28:50 - AppSec Street Fighter SANS Institute - Kevin Johnson will be giving a cool webcast called Social Zombies where he explores the various concerns related to malware delivery through social network sites Ignoring the FUD and confusion being sowed today, this presentation will examine the risks and then present tools that can be used to exploit these issues We discuss how social http://www.secuobs.com/revue/news/204542.shtmlhttp://www.secuobs.com/revue/news/204542.shtml Secuobs.com : 2010-03-19 22:19:29 - AppSec Street Fighter SANS Institute - Incorrect Calculation of Buffer Size CWE-131 is another shameful member in the buffer overflow family Buffer overflow is generally caused by copying or moving a piece of data to a smaller memory location hence overwriting some important data in the memory and corrupting the execution path of the computer The most basic http://www.secuobs.com/revue/news/203516.shtmlhttp://www.secuobs.com/revue/news/203516.shtml Secuobs.com : 2010-03-18 04:20:32 - AppSec Street Fighter SANS Institute - The author discussion integers, wraparound and how random numbers may very much be non random if you don't know how to read the manual http://www.secuobs.com/revue/news/202866.shtmlhttp://www.secuobs.com/revue/news/202866.shtml Secuobs.com : 2010-03-17 05:02:00 - AppSec Street Fighter SANS Institute - Error messages can leak everything from full path names to password A user should never be exposed to them, unless you expect them to fix the problem for you http://www.secuobs.com/revue/news/202479.shtmlhttp://www.secuobs.com/revue/news/202479.shtml Secuobs.com : 2010-03-15 18:29:24 - AppSec Street Fighter SANS Institute - CWE-754 happens when software does not check or improperly checks for unusual or exceptional conditions that are not expected to occur frequently during day to day operation of the software 1 Take the following snippet of Java code as an example private static final int ROLE_ADMIN 0 private static final int ROLE_USER 1 private static final int http://www.secuobs.com/revue/news/201752.shtmlhttp://www.secuobs.com/revue/news/201752.shtml Secuobs.com : 2010-03-13 01:36:51 - AppSec Street Fighter SANS Institute - Improper Validation of Array Index CWE-129 is a flaw related to improper use of user input Most programming languages has support for array structure Objects within the array can be indexed by numeric value such as 0 which points to the first object in the array or 5 which points to the 6th object in http://www.secuobs.com/revue/news/201287.shtmlhttp://www.secuobs.com/revue/news/201287.shtml Secuobs.com : 2010-03-11 18:21:44 - AppSec Street Fighter SANS Institute - Last year, when we got going with our web honeypot, we quickly found that file PHP file inclusion vulnerabilities are by far the 1 exploit the honeypot was exposed to 1 In part, this may have been due to us heavily emulating PHP applications But many of the exploits didn t match any of the installed http://www.secuobs.com/revue/news/200728.shtmlhttp://www.secuobs.com/revue/news/200728.shtml Secuobs.com : 2010-03-11 05:42:08 - AppSec Street Fighter SANS Institute - Buffer Access with Incorrect Length Value CWE-805 is in close relationship with Classic buffer overflow CWE-120 Class buffer overflow is caused by copying buffer without checking for length Buffer Access with Incorrect Length when length is in consideration but the actual length defined is not sufficient The end result of this vulnerability is buffer overflow The http://www.secuobs.com/revue/news/200593.shtmlhttp://www.secuobs.com/revue/news/200593.shtml Secuobs.com : 2010-03-10 02:34:40 - AppSec Street Fighter SANS Institute - Talking about hard coded credentials to other developers, one of the first questions to come up is where else to keep them A hard coded credential is usually a password used to obtain administrative access to software, or a password used by this same software to establish outbound connections, for example to connect to a http://www.secuobs.com/revue/news/200073.shtmlhttp://www.secuobs.com/revue/news/200073.shtml Secuobs.com : 2010-03-09 15:09:40 - AppSec Street Fighter SANS Institute - In October 2001, the DShieldorg site was just about a year old, I was alerted to a flood of reports hitting the site Looking at the reports in more detail, I found out that most of them are due to blocked ICMP packets being reported to the site Further investigation revealed that the reports where http://www.secuobs.com/revue/news/199731.shtmlhttp://www.secuobs.com/revue/news/199731.shtml Secuobs.com : 2010-03-05 19:49:50 - AppSec Street Fighter SANS Institute - During a code review I came across code that looked like this for testing only String testId requestgetParameter secretId if testId null testIdequals id testId else id codeToLookupTheRealId This code allows a malicious user to perform an access control bypass attack by simply supplying the secretId parameter in the request As you can tell from the http://www.secuobs.com/revue/news/198744.shtmlhttp://www.secuobs.com/revue/news/198744.shtml Secuobs.com : 2010-03-04 20:28:44 - AppSec Street Fighter SANS Institute - Foursquare is a mobile app that lets you check in to a location and tell your friends about it If you check in someplace often enough you can, among other things, become the mayor of that location If you re the mayor you can even sometimes win free food 1 Normally, people are supposed to actually http://www.secuobs.com/revue/news/198111.shtmlhttp://www.secuobs.com/revue/news/198111.shtml Secuobs.com : 2010-03-04 01:23:16 - AppSec Street Fighter SANS Institute - Cross Site Request Forgery CWE-352 is one of the more common vulnerabilities in existent today Although it is relatively common, not all instances of vulnerability provide sufficient incentive for an attacker to exploit the vulnerability The vulnerability is based on the fact that the web application assumes any request by the user is a legitimate request http://www.secuobs.com/revue/news/197826.shtmlhttp://www.secuobs.com/revue/news/197826.shtml Secuobs.com : 2010-03-03 01:32:14 - AppSec Street Fighter SANS Institute - Classic buffer overflow CWE-120 is a huge problem in programming, we have all seen the damage that can be done by buffer overflow There were numerous worms that leveraged this vulnerability in the early 2000 s Starting from the Morris worm early on, extending to the Code Red and SQL Slammer, they are all proof that http://www.secuobs.com/revue/news/197377.shtmlhttp://www.secuobs.com/revue/news/197377.shtml Secuobs.com : 2010-03-02 19:57:07 - AppSec Street Fighter SANS Institute - It s my pleasure to post this guest blog from my colleague and fellow security professional, Khash Kiani, about an interesting design flaw in Yahoo Mail Intent The ultimate goal of this exercise was to reveal a few fundamental design flaws with the authentication mechanism of Yahoo Mail, more specifically its password reset scheme The exercise also intended to http://www.secuobs.com/revue/news/197240.shtmlhttp://www.secuobs.com/revue/news/197240.shtml Secuobs.com : 2010-03-01 18:13:18 - AppSec Street Fighter SANS Institute - Item 2 in this year s Top 25 is CWE-89 1 It is officially called Improper Sanitization of Special Elements used in an SQL Command SQL Injection There are many public examples that show the devastating impact that SQL Injection can have including the Mass SQL Injection attacks that began in 2008 2,3,4 as well as the http://www.secuobs.com/revue/news/196629.shtmlhttp://www.secuobs.com/revue/news/196629.shtml Secuobs.com : 2010-02-26 15:56:39 - AppSec Street Fighter SANS Institute - Entry 10 on the CWE SANS Top 25 is CWE-311 Missing Encryption of Sensitive Data 1 In a previous post 2 we discussed how we obtained command line access to the server As a result, we could now conduct any number of malicious activities But, our primary goal was to retrieve confidential customer information Navigating around the http://www.secuobs.com/revue/news/195936.shtmlhttp://www.secuobs.com/revue/news/195936.shtml Secuobs.com : 2010-02-25 16:27:10 - AppSec Street Fighter SANS Institute - File uploads are a hard problem, and it is no surprise that they made it into the top 25 list We covered some of the tactical issues in allowing file uploads in an earlier blog This blog discusses how to use the SDL to your advantage to avoid some of the risks http://www.secuobs.com/revue/news/195557.shtmlhttp://www.secuobs.com/revue/news/195557.shtml Secuobs.com : 2010-02-24 16:28:34 - AppSec Street Fighter SANS Institute - Entry 9 on the new CWE SANS Top 25 is about OS Command Injection 1 It s officially called Improper Sanitization of Special Elements used in an OS Command OS Command Injection , but I prefer to keep the title short when describing it In a previous post 2 we had just gained access to the application by http://www.secuobs.com/revue/news/195098.shtmlhttp://www.secuobs.com/revue/news/195098.shtml Secuobs.com : 2010-02-23 16:00:55 - AppSec Street Fighter SANS Institute - One of the most blatant examples I ve seen of weak or missing authentication occurred with the online dating site SpeedDatecom For a brief period of time passwords were not even required to log in to the application 1 All you needed was the user id and a blank password and you would be http://www.secuobs.com/revue/news/194635.shtmlhttp://www.secuobs.com/revue/news/194635.shtml Secuobs.com : 2010-02-22 10:23:10 - AppSec Street Fighter SANS Institute - My honor to kick off with the first programming error on the Top 25 list Ranked number 1 on the list is the Cross Site Scripting issue Cross Site Scripting like many other Web security problems is caused by simple flaws related to user input but the potential attack scenarios can be diverse and the fix http://www.secuobs.com/revue/news/194062.shtmlhttp://www.secuobs.com/revue/news/194062.shtml Secuobs.com : 2010-02-17 06:12:12 - AppSec Street Fighter SANS Institute - The good folks at iSec Partners have written a new book called Mobile Application Security and one of the authors, Chris Clark, will be giving a webcast on that very topic The day when everyone has a PC in their pocket has arrived and developers are rushing to create mobile applications to meet demand This talk http://www.secuobs.com/revue/news/192626.shtmlhttp://www.secuobs.com/revue/news/192626.shtml Secuobs.com : 2010-02-05 22:19:36 - AppSec Street Fighter SANS Institute - The Novatel MiFi device is a rich target for simple web application exploitation In this example, we show how to use a simple form and a single javascript command to turn the Verizon version of the device into an open access point http://www.secuobs.com/revue/news/189087.shtmlhttp://www.secuobs.com/revue/news/189087.shtml Secuobs.com : 2010-02-03 17:27:10 - AppSec Street Fighter SANS Institute - At the Internet Storm Center, we feature a poll on our home page As part of the poll, you will find a comment field Sadly, this comment field is frequently abused for spam Not that it does any good The spam is easily filtered and all comments have to be approved anyway But just today, http://www.secuobs.com/revue/news/188188.shtmlhttp://www.secuobs.com/revue/news/188188.shtml Secuobs.com : 2010-01-29 05:49:09 - AppSec Street Fighter SANS Institute - Today, we will take a quick look at remote file inclusion RFI Based on our web honeypot project, RFI is by far the most common exploit attempt Most of the vulnerabilities exploited are rather old But it appears still worthwhile to these attackers to give it a try There are a number of simple configuration choices http://www.secuobs.com/revue/news/186543.shtmlhttp://www.secuobs.com/revue/news/186543.shtml Secuobs.com : 2010-01-28 18:09:16 - AppSec Street Fighter SANS Institute - The recent release of a new IIS vulnerability motivated me to compile a list of best practices for file uploads This is a check list I use in my own coding and it has become quite valuable to me File uploads are always a scary feature in particular if the files need to be access controlled or if they will be retrievable via a browser by other users http://www.secuobs.com/revue/news/186314.shtmlhttp://www.secuobs.com/revue/news/186314.shtml Secuobs.com : 2010-01-28 18:09:16 - AppSec Street Fighter SANS Institute - In my DDoS after action report, I am mentioning that it is helpful to have a couple simple shell scripts around to analyze your logs while under stress I got some requests for these scripts, so here they are http://www.secuobs.com/revue/news/186313.shtmlhttp://www.secuobs.com/revue/news/186313.shtml Secuobs.com : 2010-01-28 18:09:16 - AppSec Street Fighter SANS Institute - In order to unlock the device, you have to enter your password into software installed on your laptop desktop You would expect the software hashes or encrypts the password, sends it to the device, the device uses the hash to decrypt the files stored on the device WRONG http://www.secuobs.com/revue/news/186312.shtmlhttp://www.secuobs.com/revue/news/186312.shtml Secuobs.com : 2010-01-28 18:09:16 - AppSec Street Fighter SANS Institute - I m really looking forward to a webcast titled The Porous Castle Next Generation Application Attacks by Nitesh Dhanjani I spoke to Nitesh and he said it was OK for me to say that he ll be revealing details of a very cool zero-day on an extremely well known web site Nitesh will discuss the impact of some http://www.secuobs.com/revue/news/186311.shtmlhttp://www.secuobs.com/revue/news/186311.shtml Secuobs.com : 2010-01-28 18:09:16 - AppSec Street Fighter SANS Institute - Like any web server, the SANS Internet Storm Center web server is being attacked regularly In this multi-part series, we will go over one of our server access logs to find out what attacks are used http://www.secuobs.com/revue/news/186310.shtmlhttp://www.secuobs.com/revue/news/186310.shtml Secuobs.com : 2009-12-13 23:35:23 - AppSec Street Fighter SANS Institute - Do we need a quick and dirty PHP Streetfighter API Something to help lazy developers beat up lazy exploits Something that can be written in 24hrs and learned in less then 1hr If you are interested in using it, let me know http://www.secuobs.com/revue/news/171517.shtmlhttp://www.secuobs.com/revue/news/171517.shtml Secuobs.com : 2009-12-12 01:09:48 - AppSec Street Fighter SANS Institute - If you want to do something now Make sure that you confirm if your current web server supports IPv6 or not Modern operating systems tend to establish IPv6 tunnels over IPv4 automatically Make sure they are disabled until your application is ready for IPv6 Communicate clearly with your networking team to avoid accidental IPv6 exposure of your application Finally Get an IPv6 test environment running to get your feet wet http://www.secuobs.com/revue/news/171211.shtmlhttp://www.secuobs.com/revue/news/171211.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - I regularly get consulted on various web application security issues and defensive strategies One of the recent frequently asked questions is around database encryption of web application My answers to these kind of questions usually lead to awkward looking faces I always start off asking more questions about the requirements, Who are you trying to http://www.secuobs.com/revue/news/160362.shtmlhttp://www.secuobs.com/revue/news/160362.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - I just ran across Jakob Nielsen s Alert Box post titled Stop Password Masking and wanted to provide some feedback from a security vs usability perspective I have great respect for Nielsen s contribution to the usability of the web Back in the early days of the internet mid 1990 s , his books were gospel at my consulting http://www.secuobs.com/revue/news/160361.shtmlhttp://www.secuobs.com/revue/news/160361.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - Yes, I will talk in this article about why it is not good to leave your session files in tmp But first, allow me to follow Jason s lead and talk about the attacks he discussed in Part 2 of his ASPNET article I will keep it short Session fixation isn t really that much of http://www.secuobs.com/revue/news/160360.shtmlhttp://www.secuobs.com/revue/news/160360.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - This is a short post, to summarize some of the issues I see with PHP code and the use of MySQL Not too many people know about these pitfalls and they are given rise to some of the more subtle security issues 1 SQL Overflow If a value you insert into a column is too large, http://www.secuobs.com/revue/news/160359.shtmlhttp://www.secuobs.com/revue/news/160359.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - The SANS ISC Webhoneypot project was started over a year ago and the client had been in public beta since June We have been collecting data from honeypots since January The goal of the project is to collect quantitative data about the prevalence of large scale automated attacks We are now ready to share some collected http://www.secuobs.com/revue/news/160358.shtmlhttp://www.secuobs.com/revue/news/160358.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - Is a pentest done after you got root Or is this just the start of finding even more vulnerabilities In my opinion, a pentest should aim at finding as many vulnerabilities as possible http://www.secuobs.com/revue/news/160357.shtmlhttp://www.secuobs.com/revue/news/160357.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - The person I had the IM discussion with was Daniel Miessler He responded in his own blog, and sent me the excerpt below as a response Thanks for the offline and online comments to far Certainly an interesting topic to discus http://www.secuobs.com/revue/news/160356.shtmlhttp://www.secuobs.com/revue/news/160356.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - Late 2008, Jeremiah Grossman and Robert Hansen publicized the clickjacking problem and got the web app security experts all trying to come up with solutions One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame There are two settings to this http://www.secuobs.com/revue/news/160355.shtmlhttp://www.secuobs.com/revue/news/160355.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - Regular spidering should be part of a web applications maintenance regiment Of course, there are plenty of free and commercial tools to do it for you Vulnerability scanners will typically come with a powerful spider function On the other hand, public search engines like Google already do most of the work for you In particular http://www.secuobs.com/revue/news/160354.shtmlhttp://www.secuobs.com/revue/news/160354.shtml Secuobs.com : 2009-11-13 03:33:27 - AppSec Street Fighter SANS Institute - With a new movie coming out about how the world will end with the supposed end of the Mayan calender, I figured it would be nice to get a list of software related end of calender issues Dec 31st 1999, 23 59 59 GMT The famous Y2k issue We made it so far Jan 10th, 2010, 10 10 00 http://www.secuobs.com/revue/news/160353.shtmlhttp://www.secuobs.com/revue/news/160353.shtml