Here are the slides from Friday's Thotcon presentation on SSL. Great conference! Enjoy the slides.
-Michael Coates
Monday, April 26, 2010
Monday, April 19, 2010
OWASP Top 10 Released
OWASP Top 10 - 2010 has been officially released. Download the pdf now.
The 2010 Top 10
- A1: Injection [Injection Cheat Sheet]
- A2: Cross-Site Scripting (XSS) [XSS Cheat Sheet] [XSS Podcast]
- A3: Broken Authentication and Session Management [Authentication Cheat Sheet]
- A4: Insecure Direct Object References [ESAPI Access Reference Map]
- A5: Cross-Site Request Forgery (CSRF) [CSRF Cheat Sheet] [CSRF Podcast]
- A6: Security Misconfiguration [Development Configuration Guide]
- A7: Insecure Cryptographic Storage [Crypto Cheat Sheet] [Crypot Podcast]
- A8: Failure to Restrict URL Access [ESAPI Access Control API]
- A9: Insufficient Transport Layer Protection [TLS Protection Cheat Sheet] [TLS Podcast]
- A10: Unvalidated Redirects and Forwards [Open Redirects Article] [Redirects Podcast]
Also, towards the end of the document is a section labeled "Additional Risks to Consider". I encourage you to read "Lack of Intrusion Detection and Response"
-Michael Coates
Thursday, April 15, 2010
IE8 XSS Bypass - BlackHat Europe Slides
IE8 and the anti-XSS control has been discussed in several articles and recent posts (here, here and here). The researchers that discovered the XSS issue in the anti-XSS control (ironic huh) presented at Blackhat and the slides are below.
The gist of the issue is that a flaw in the anti-xss control introduce XSS into otherwise safe sites. Needless to say, this is really bad.
[pics from presenter's slides]
This issue has been fixed by a Microsoft patch. So although there is an attack vector against vulnerable users, this would include people that have upgraded to IE8 but haven't applied recent patches. I would guess this is not a large number (no data to back that up).
However, the issue does raise a bigger issue, the blacklist approach and sanitation performed by IE8's XSS could introduce XSS vulnerabilities into an otherwise safe site. That is a scary scenario. As the presenters put it, you shouldn't necessarily disable the XSS protection, but you should be ready to disable if a 0-day against the XSS filter is released.
Slides from the event
A little further analysis on one of the above examples:
I looked into the Wikipedia example. The url is as follows (this will fire in a vulnerable version of IE8)
http://en.wikipedia.org/w/index.php?title=Cross-site_scripting&oldid=312565384&foo="/wiki/File:Wikipedesketch1.png"class="image"><img alt=
This plays off of the already present code in the wiki which looks like this:
<div class="thumbinner" style="width:222px;"><a href="/wiki/File:Wikipedesketch1.png" class="image"><img alt="x onerror=alert(1) onload=alert(2) y"src="http://upload.wikimedia.org/wikipedia/commons/thumb/d/d4/Wikipedesketch1.png/220px-Wikipedesketch1.png" width="220" height="224" class="thumbimage" /></a>
The anti-xss filter regex fires on the URL and modifies the response. The modified response then changes from benign text to malicious XSS and hence the alert(2) fires. Interesting stuff. See the presentation for a more in depth description.
-Michael Coates
The gist of the issue is that a flaw in the anti-xss control introduce XSS into otherwise safe sites. Needless to say, this is really bad.
[pics from presenter's slides]
This issue has been fixed by a Microsoft patch. So although there is an attack vector against vulnerable users, this would include people that have upgraded to IE8 but haven't applied recent patches. I would guess this is not a large number (no data to back that up).
However, the issue does raise a bigger issue, the blacklist approach and sanitation performed by IE8's XSS could introduce XSS vulnerabilities into an otherwise safe site. That is a scary scenario. As the presenters put it, you shouldn't necessarily disable the XSS protection, but you should be ready to disable if a 0-day against the XSS filter is released.
Slides from the event
A little further analysis on one of the above examples:
I looked into the Wikipedia example. The url is as follows (this will fire in a vulnerable version of IE8)
http://en.wikipedia.org/w/index.php?title=Cross-site_scripting&oldid=312565384&foo="/wiki/File:Wikipedesketch1.png"class="image"><img alt=
This plays off of the already present code in the wiki which looks like this:
<div class="thumbinner" style="width:222px;"><a href="/wiki/File:Wikipedesketch1.png" class="image"><img alt="x onerror=alert(1) onload=alert(2) y"src="http://upload.wikimedia.org/wikipedia/commons/thumb/d/d4/Wikipedesketch1.png/220px-Wikipedesketch1.png" width="220" height="224" class="thumbimage" /></a>
The anti-xss filter regex fires on the URL and modifies the response. The modified response then changes from benign text to malicious XSS and hence the alert(2) fires. Interesting stuff. See the presentation for a more in depth description.
-Michael Coates
Monday, April 12, 2010
Presentation SSL Screw-Ups @ Thotcon - Chicago 4/23/2010
**************************************** ***BEGIN THOTCON TRANSMISSION*********** What: THOTCON 0x1 When: Friday, April 23, 2010 Where: TBA - 1 Week Prior to Conference Tickets: SOLD OUT! **************************************** THOTCON (pronounced \ˈthȯt\ and taken fr om THree - One - Two) is a new small ven ue hacking conference based in Chicago I L, USA. This is a non-profit, non-commer cial event looking to provide the best c onference possible on a very limited bud get. *** SCHEDULE ***************************
...10:50 AM - SSL SCREW-UP - COATES...
Subscribe to:
Posts (Atom)