BSides San Francisco

Posted on
Reply

Voting on BSides SF presentations closes this Friday (Feb 2nd). If you’ll be in San Francisco for RSA, make sure to check out BSides as well. It’s also a chance to learn about a JavaScript-based approach to fingerprinting web app frameworks — but only if you vote for Blind Fury!

Blind Fury: An Alternate Web App Fingerprinting Technique

Web app fingerprinting attempts to identify the type and version of frameworks installed on a web site. Knowledge of frameworks and their version helps determine whether a site has kept up to date with security patches. Accurate fingerprinting can be more efficient and less intrusive than blackbox vulnerability scanning for identifying potential vulnerabilities.

Traditional approaches to fingerprinting web applications rely on brute force enumeration of pages, scraping content with regexes, or hybrids of the two. These are suboptimal. Page enumeration is bandwidth-intensive. Its accuracy falls when “install” files are removed or pages are minified. Regexes are prone to errors of matching incorrect content or are defeated by simple site modification (such as removing <meta> content). These techniques tend to identify the presence of pages on a site, but do not indicate whether the files are actually used of the application.

Blind Fury uses a new approach that does not rely on page enumeration or regexes. Yet it is still able to identify several popular frameworks. In fact, the technique can be extended to generate fingerprints for almost any type of web site. It can create and analyze fingerprints from a completely blackbox perspective; it does not require prior knowledge of a target’s directory structure.

If you love Rutger Hauer movies, vote for Blind Fury.

Fear not, regardless of the outcome of voting, I’ll be posting more about it at the end of the month.

p.s. Regular visitors may have noticed that the site has moved to WordPress.com from Blogger (saying good-bye to negative privacy and policy changes). The only drawback so far is that some of the archive links are broken because they were originally saved as year/month rather than year/month/day. All of the content remains, just under a slightly different link.

 

 

Google Darts Back to VBScript

Posted on
Reply

There’s an interesting discussion evolving on the WebKit developer’s mailing list that boils down to adding VBScript support to the project. Well, almost. It’s a discussion between two major contributor camps, Google and Apple, on the framework for integrating Google’s langue du jourDart.

To set the stage, no one on the list is arguing in bad faith. If you’d prefer the troll-baiting titillation of he said/she said threads, look elsewhere. Never the less, keep reading here and you’ll be rewarded with a pontifical comment or two.

So, back to Google’s desire to include VBScript to the WebKit browser engine. I mean Dart; I believe they call it Dart because four fewer letters improves efficiency. The basic idea is that JavaScript is nice, but insufficient to fully replicate certain kinds of desktop apps. For example, JavaScript becomes creaky if you push it to handle anything associated with frame rates — namely games.

There’s clearly self-interest in improving browser computing if your entire platform relies on the browser. For starters, you want a browser that won’t have ad-blocking on by default. And you’ll want to smooth out the wrinkles of something like a Do Not Track header.1,2 Sometimes, it’s even convenient to get other browsers, say Internet Explorer, to catch up on technology by plugging your own browser into them.3 (Never mind the implications of a browser in a browser.4,5) That brouhaha of 2009 enabled users to experience brave, new products with their Chrome/IE chimera — which in hindsight must have been necessary since the product was no longer around by the time IE caught up on HTML5.6

But all of that avoids the fact that JavaScript isn’t perfect. Enter Dart, accompanied by tweaks that make it more bare-metal-compiler friendly

On the other hand, maybe JavaScript (ahem, the ECMAScript standard) just needs its own tweaking to enable performance gains.7,8 And while we’re on this JavaScript tirade, why not throw improve our privacy with some crypto-related capabilities rather than start over with VBDart?9

ECMADart isn’t Google’s sole flirtation with browser extensions. Google also wants to reinvent ActiveX in the form of a plugin called NaCl.10 NaCl is a sort of the arterial bypass of JavaScript in that it provides a way to execute native code (C or C++) in your browser. Instead of relying on the non-standard closed sandbox plugins like Flash or Silverlight you can rely on the non-standard open source sandbox plugin of NaCl.

Words That Start With E

Understand first that reinvention intends to improve upon the original. Hollywood likes to call this “rebooting” a franchise. This brings us cool Batman movies. At the price of yet another Batman movie. Or yet another Superman. Or Spiderman. (Hey, Star Trek was pretty awesome so reboots aren’t out-of-hand a bad idea.) Yet this pushes other, fresher ideas out of the way. In web terms, those other, fresher ideas involve developers embracing HTML5 and JavaScript as the standard deployment model for web apps rather than coding to browser quirks or throwing Flash-driven menus everywhere.

Now fill in the blank: Reinventing a technology is a great way to [ ____ ]

Even desultory readers should notice the biased presentation of choices: Three phrases of cliched meaninglessness and one possibly-too-subtle allusion to the dark times of an almost two decade-old past. It wasn’t until the late 90′s when a Rolling Stones‘ song first graced a t.v. commercial. Their song, “Start Me Up,” played over an ad (this is the dark times part) for Microsoft — the company that created the “embrace, extend, and extinguish” strategy to give Internet Explorer dominance in the browser market.

One great way to embrace and extend is to provide New! Cool! features that work great in one browser, but degrade or don’t exist in any other. A new scripting language is one way to do that, even if it’s as useful as VBDript. To be fair, plugins like Flash and Silverlight need to be pulled into this category. Java counts as cross-platform, but when was the last time you used a Java app in your browser? When was the last time a hacker did? (Hint: Probably more recently than you think.)12

Stepping outside of boundaries isn’t always bad. After all, a foundation of the modern web, the XMLHttpRequest object, arose from an IE-only extension.13 A detraction further compounded by requiring ActiveX. XHR’s adoption into the W3C standards was both acknowledgement of the feature’s widely recognized utility as well as the desire to make the feature equal among all browsers.

All You Need is <!doctype html>

Maybe everything doesn’t have to go into the browser. Yes, I can think of a few reasons why App stores (trademarked ones and not) equally threaten divergence and uncrossable platforms. But at least consider the app+device duo has a better security model than the browser. The browser’s model is mostly a Same Origin Policy affair, whereas you ostensibly have to approve and acknowledge certain behaviors for your sandboxed app.

The worst thing you can do is sign up to the WebKit developers list in order to spam it with flaming, troll-ridden diatribes for or against JavaDart. Let engineers more involved in the browser sausage making sort it out with their constructive conversation.

The best thing you can do is continue to create cool web sites with technology that works in every browser: HTML5 and JavaScript. Let the annoying litter of the Web’s past (pop-up windows, scrolling marquees, even Flash has a terminal diagnosis by now) scatter in what the Scorpions so awesomely sung as the “Wind of Change.”

=====
[1] http://googlepublicpolicy.blogspot.com/2011/01/keep-your-opt-outs.html
[2] http://www.w3.org/Submission/web-tracking-protection/
[3] http://arstechnica.com/open-source/news/2009/09/google-brings-chromes-renderer-to-ie-with-browser-plugin.ars
[4] http://shaver.off.net/diary/2009/09/28/thoughts-on-chrome-frame/
[5] http://blog.lizardwrangler.com/2009/09/28/browser-soup-and-chrome-frame/
[6] http://googlewave.blogspot.com/2011/11/final-steps-for-google-wave.html
[7] http://www.ecmascript.org/
[8] http://blogs.msdn.com/b/ie/archive/2011/11/22/evolving-ecmascript.aspx
[9] https://wiki.mozilla.org/Privacy/Features/DOMCryptAPISpec/Latest
[10] http://www.chromium.org/nativeclient
[11] http://www.economist.com/node/298112?Story_ID=298112
[12] http://blogs.technet.com/b/mmpc/archive/2010/10/18/have-you-checked-the-java.aspx
[13] http://support.microsoft.com/kb/285081

The Twelve Web Security Truths

Posted on
Reply

My current writing project has taken time away from adding new content lately. Here’s a brief interlude of The Twelve Web Security Truths I’ve been toying with as a side project. They are modeled on The Twelve Networking Truths from RFC 1925.

  1. Software execution is less secure than software design, but running code has more users.
  2. The time saved by not using parameterized queries to build SQL statements should be used to read about using parameterized queries.
  3. Same Origin Policy restricts the DOM access and JavaScript behavior of content loaded from multiple origins. Malware only cares about plugin and browser versions.
  4. Content like XSS exploits are affected by the Same Origin Policy, which is nice for XSS attacks that inject into the site’s origin.
  5. CSRF countermeasures like Origin headers mitigate CSRF, not XSS. Just like X-Frame-Options mitigates clickjacking, not XSS.
  6. Making data safe for serialization with JSON does not make the data safe for the site.
  7. There are four XSS vulns in your site today. Hackers will find two of them, the security team will find one, the dev team will introduce another one tomorrow.
  8. Blacklists miss the payload syntax that works.
  9. A site that secures user data still needs to work on the privacy of user data.
  10. Hashing passwords with 1000-round PBKDF2 increases the work factor to brute force the login page by a factor of 1. Increasing this to a 10,000-round PBKDF2 scheme provides an additional increase by a factor of 1.
  11. The vulnerabilities in “web 2.0″ sites occur against the same HTML and JavaScript capabilities of “web 1.0″ sites. HTML5 makes this different in the same way.
  12. A site is secure when a compromise can be detected, defined, and fixed with minimal effort and users are notified about it.
  13. Off-by-one errors only happen in C.

Enjoy. And stick around for (the not quite yet imminent arrival of) new content. Thanks for reading!

RSA Europe 2011

Posted on
Reply

Here are the slides I used for my presentation at RSA 2011 Europe. The topic was HTML5 with an emphasis on distinguishing between HTML5 features that may present vulnerabilities vs. how HTML5 would simply be leveraged as part of older exploits. It also touches on broader aspects of web security such as design vs. implementation issues, the impact of mobile devices, and how using frameworks can improve security — as long as the frameworks themselves are good.

Denial of Service

Posted on
Reply

Denial of service (DoS) attacks are the bluntest of tools in the web application exploit arsenal. The coarsest of attacks employ nothing more than a flood of packets that overwhelm the target’s capability to handle such an amount of traffic. Most likely, the web application itself never sees the full effect of the assault because the network stacks of the underlying operating system and network devices fall over before legitimate traffic percolates up to the application.
DoS appeared on the original OWASP Top 10 list from 2004 (entry A91) with allusions to bandwidth and server resource consumption. At the TCP layer, most DoS attacks are agnostic of the target’s services. Bandwidth flooding, packet fragmentation, and similar techniques apply either to the protocol itself (TCP, UDP, or even ICMP) or take advantage of vulnerabilities in an operating system’s network stack. As a consequence, such attacks typically fall out of the purview of web application developers or are treated as parallel issues that cannot rightfully be addressed at the application layer.
On the other hand, the class of DoS attacks that target resource consumption (CPU cycles, memory, database contention, etc.) can and should be addressed by the web application (and by extension the web server and database engine). These types of attacks don’t have universal applicability that most network layer attacks do, but that is of little consolation if you’re in charge of the targeted web site.
In The Book’s chapter about SQL injection (Chapter 3, p. 48) there’s an example of how a vulnerable link was used as leverage in a DoS attack against the RIAA’s web site. Instead of attempting to pilfer data or compromise the system, the SQL attack executed MySQL’s BENCHMARK command millions of times in order to spike the CPU’s utilization.
These resource consumption attacks place a lopsided burden on the victim’s system relative to the attacker’s. In contrast, bandwidth-based attacks tend to require a roughly equivalent amount of resources between the attacker and victim. (Keep in mind that distributed denial of service, or DDoS, require the attacker to have active or “zombie” cohorts of compromised systems to launch the attack.) The previously mentioned SQL statement can be delivered in a single GET request from the attacker, but the effects last much longer on the victim’s side.
Resource consumption attacks need to exploit a specific vuln. Instead of looking for SQL injection vectors an attacker might simply look for search-style functionality on the target web site. If the search ends up causing the equivalent of a full table scan in a database, or hits an otherwise unoptimized query, then the attacker could hammer that particular link to sink the target. Sites that execute user-supplied regular expressions expose themselves to a similar problem. Regex patterns can be equally inscrutable, deathly recursive, and inefficient. Good developers spend time crafting concise, effective patterns, but an adversarial user might create a pattern that leads the regex engine down the path of heavy CPU use.
Interesting attacks also target protocols. The stateless nature of UDP, for example, makes it trivial to spoof packets. HTTP lays atop TCP, which severely limits the success of spoofing attacks, but exposes trickier scenarios that combine TCP and HTTP properties to create a hybridized attack in which a few well-crafted, valid packets can lead a web server to set aside large amounts of memory for only a handful of requests.
A recently released tool, slowhttptest2, demonstrates this so-called “Slow HTTP” or “slowloris”attack. Check out the tool’s documentation and its related links for insight on how the attack works. The tool also demonstrates the “Apache Killer” attack that showed up in the last few weeks.4
This isn’t a tech-heavy post about DoS and protocol analysis. Instead, I wanted to highlight some recent noise that’s been made about this kind of attack. This also leads to the larger issue of “securing to the checklist” or focusing on the attacks made popular at security conferences vs. attacks occurring in the wild.
It’s easy to dismiss bandwidth consumption attacks as intractable problems for web apps that lack the server distribution and resources of sites like Facebook, Microsoft, Yahoo!, Google, or Amazon. Many site developers simply don’t have the means to react effectively.
Resource consumption attacks are another matter. (Bandwidth doesn’t count as a resource for this purpose.) The emergence of adversarial groups like Anonymous, Antisec, and Lulzsec demonstrate the continued utility of blunt DoS as well as how apparently easy it is to find SQL injection vulnerabilities. (…and unencrypted passwords.)
These groups launch DoS attacks from ideological motives that seem to boil down to fighting noise with greater noise; silencing opposition rather than amplifying their own message. Regardless of the drive, the desire to continue DoS attacks should be evident and will likely lead to tools that reach higher into the protocol layer than crude packet stuffing. (Determining the merit of this approach belongs in another post, so we’ll depart this aspect of the discussion for now.)
Most DoS attacks are neither new nor particularly innovative, although there are clear improvements on the theme as shown by tools like slowhttptest and Apache Killer. The “slow” attacks and protocol abuse as demonstrated by these tools show how web developers can in fact improve their architecture and web servers to be more resistant. The continued presence of SQL injection, despite clear, simple, effective countermeasures reveals that not everyone pays attention to advances in security.
Web security seems to favor the attacker — look at the prevalence of “Yet Another XSS Exploit” at security conferences vs. the amount of discussion on countermeasures. (Perhaps also due to the perspective that attack is fun and defense is boring.) DoS attacks don’t have to move beyond the LOIC5 to be effective in taking down most sites, but the nature of the attack will be sure to improve and it would behoove site developers to keep this in mind as they configure and deploy web applications. 

=====

1 https://www.owasp.org/index.php/A9_2004_Application_Denial_of_Service
2 http://code.google.com/p/slowhttptest/
3 http://ha.ckers.org/slowloris/
4 http://seclists.org/fulldisclosure/2011/Aug/301
5 http://sourceforge.net/projects/loic/

A Brief Return to CSRF

Posted on
Reply

Attention to CSRF seems to ebb and flood against the popularity of yet another XSS or SQL injection. Here’s some insight1 into the projects I work on related to web scanning, specifically how some kinds of CSRF detections can be automated.

CSRF detection definitely falls into the “hard” category of automation. The Book discusses CSRF in Chapter 2. You may also be interested in reading the excellent Stanford Web Security Research papers on the topic.2

CSRF is a complex topic that engenders a lot of strong opinions on risk, exploitation, and what constitutes a vuln. A few months ago I wrote on the broader aspects of web security and how they do or do not relate to CSRF.

Since July was a rather dry period for updates here, I’ll take August to dive into some of the ways automated CSRF detection succeeds and which approaches are doomed to fail.

=====

1 https://community.qualys.com/blogs/securitylabs/2011/08/10/the-was-approach-to-csrf
2 http://seclab.stanford.edu/websec/csrf/
3 http://www.deadliestwebattacks.com/2011/04/csrf-and-beyond.html

A Social Phailure

Posted on
Reply

It’s no uncommon event for your email spam folder to be full of phishing emails exhorting you to confirm your SSN or credit card details with your bank or demanding your account details for an online game to avoid it being canceled because of cheating activity detected. It’s less often that the phishing attempt arrives over the phone.

Last week I answered a call on my work phone whose caller ID showed “unknown”. I’m already predisposed to ignore such calls because of telemarketing. However I can imagine some situations where one of our customers’ phone exchanges would not appear on caller ID. So I answer.

A man politely informs me that he needs to confirm my email address in order to send me a tracking number for a FedEx package. I prefer to think that I’m a suspicious person rather than a cynical one. This statement was immediately suspicious because it was an out-of-the-blue attempt to extract information from me and I rarely receive packages. To be clear, my work email address is trivial to find (as apparently is my phone number). In fact, the caller had the correct email address. He only wanted me to confirm it.

I evaded acknowledging the email address which led the caller1 to assert that the package couldn’t be sent without giving me a tracking number. Here he also tried to deflect my suspicion by mentioning that the package was from Chase Bank. And it was to be delivered tomorrow, but I needed to confirm my email so “They” could send me the tracking number.

I mentioned that I was confused why the package couldn’t arrive unless the tracking number was acknowledged. A little earlier in the conversation I had asked the caller’s name. He replied, “Jason.” Now I asked another question, “Could you tell me who the sender is?” After all, maybe I’m being overly cautious and Chase Bank wants to send me lots of cash for some reason.

The answer was even more telling, “We don’t have access to that data. For privacy reasons.” Even though the package was apparently coming from Chase, I was being told that the sender’s information was obscured from this poor FedEx rep’s view. Giving me a somewhat contradictory explanation doesn’t build my confidence in the goal of this call.

By now I was explaining that if the package doesn’t arrive because I refused to acknowledge my email address then I was sure the sender would deal with the problem. The caller made a final effort at confirmation, at which point I said something along the lines of, “Send an email if you want, but I’m not going to look at it. We’ll see if a package arrives.”

There’s potential for fun to be had with turning the tables on cons and phone phishing attempts like this. Yet the call was grating and it was time to hang up. Neither email nor package arrived. Quelle surprise.

I can only speculate on the ultimate goal of this phishing attempt, but I suspect the immediate objective was to soothe any suspicions about receiving an unsolicited “Fedex package tracking” link so that I’d click on it. I would probably also have been reminded to check my spam folder in case the email was accidentally marked as spam. A link, of course, leading to a site laced with malware that would like nothing else than to infect my already abysmally slow desktop.

The simplest, most straight-forward way to end the call could have been, “I have a pen and paper right here. You can just give me the number now.” This would not only have called the bluff, but might have provided brief entertainment as the caller tries to make up an excuse for not being able to give the number over the phone or lamely creates a number on the fly.

There are some very basic things you can do to possibly foil a social engineering attempt or build confidence in the claims of an unsolicited caller. The easiest step is to politely ask simple questions:

  • What’s your name? On who’s behalf are you calling?
  • Do you have a number I where can call you back?

If you’re confused about something or a statement seems odd, ask for clarification. Social engineering usually relies on the human characteristics of greed or the desire to be helpful. You don’t need to counter a possible attack by being rude or belligerent (although it probably helps to not be greedy). After all, someone may be calling for good reason.

Good questions might fluster the attacker or further erode your trust in the call. However, there’s always the chance that answers will seem reasonable. In any case, you can always report suspicious calls to your IT or security department. That way you can help them identify a trend or to be more vigilant for certain activity. You probably don’t want to be the reason your company’s passwords, source code, or financials appear on a peer-to-peer file sharing network.

=====

1 I’m being nice by referring to him as “caller”. Unethical jerk is merely the tip of the iceberg of more suitable names.