RETURN $ecure;

Heya. I haven’t blogged in awhile but I do want to start getting back into it.

So, we’ll start with something small.

I read this article the other day about updates coming to Opera in 9.5 and was pleasantly suprised to read that it will support HttpOnly cookies. Now, if you don’t know what that is I’ll give a quick run-down. Normally, cookies are able to be accessed through scripts with things like document.cookie in JavaScript. Along with the normal cookie header, in Set-Cookie you can set it to HttpOnly. This means the cookie cannot normally be read from means other than sending it in an Http Request. This slightly mitigates using XSS to steal credentials as you can no longer read the cookie with JavaScript and send it out, but obviously doesn’t stop phishing via any means. Many sites do use HttpOnly cookies but currently,  only Internet Explorer supports it. If you use a browser that doesn’t support it,  it simply is downgraded to a normal cookie. To be fair, Firefox 3 is planned to have support for it as well but it seems 9.5 will be out before FF3. At any rate, while this won’t stop XSS, it basically eliminates the risk of cookie theft.

Just remember though, cookie theft isn’t the only credentials that can be stolen with XSS or other methods. ‘Dynamic’ phishing methods that don’t rely on a third-party site are still somewhat hard to detect and should be watched out for.

RSnake has writte up an excellent post on stealing a users browsing history without the use of Javascript. Apparently though, there was an obscure, though similar paper written before this. According to Mephisto in the comments, this detects history through multiple instances
of the browser. Probably because the browser gets updated and the site is 
using the visited: CSS if you visit it in once instance. Anyways, interesting stuff. Don’t forget to get the XSS book tomorrow!

Also, I’ve set up a new forum on one of my spare machines.
It’s not particularly secure right now as it’s using Debian packages. They tend to be a little out of date. But at least it’s stable. I’ll be making semi-regular backups, so it won’t be a huge issue if it’s hacked. Assuming your DNS updated by the time you read this, it should be at Kyran.ca. You’ll probably also notice the banner on the right. Yup. Easier sign-up for e-mails @kyran.ca

I’ve set up a few things today. First off, a Ventrilo server. Connect to it using the default port and hostname ‘kypvp.servegame.com’. Since it’s the standard server and not the ‘pro’, it’s limited. I might change over to TS at a later point.

Also, I have setup e-mails using my domain and  Custom Domains from Windows Live. So, if you want an e-mail@kyran.ca using the Windows Live Mail network, toss me a message.

I also have a Hamachi network set up. kynet and kynet2. If you want to come and play a few rounds of Starcraft or Warcraft, again, drop me a message. I’ll send you the password to the Hamachi networks.

Anyone have any ideas for other things I should setup?

 There was an article going around on a few sites today about Acunetix stating that 70% of websites are at immediate risk of being breached. Soon after, Joe Snyder not only disputed this claim, but bet Acunetix 1000$ they couldn’t compromise 3 out of 10 sites. I could use a thousand bucks and I bet even randomly selected I could get at least 5 out of 10 sites. RSnake wrote a post with a bit more info.

Also, Iwatsu selected Opera for use in their new VoIP phone. From the press release,

PRECOT (Premium Communication Tool) is a next generation solution over a broadband IP connection for the enterprise market. With Opera, PRECOT users can access Web mail or any Web page from the convenience of their screen phones.

It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.

Too bad I dislike phones.

I won’t be blogging about security nearly as much for the next while. Instead, I’ll be taking the technology route as well as making the occasional more personal post. There will still be my opinions on major things in the security world, but I won’t really be contributing much(Have I ever? haha). I just think right now my time can be spent elsewhere. Nothing particularly interesting is going on right now. C’mon, even RSnake has resorted to reading a gigantic click fraud report and making comics.(Funny ones I might add. There are more on the forums.) I’m not sure if that’s because he’s bored or there really is nothing going on in webappsec, but regardless I’ve been looking for an excuse to drop some time consuming part of my life and security is going to be it for now.

Though it does seem there are interesting discussions about WAFs, even if it’s not particularly new, it sure is interesting. I’ve said it before and I’ll say it again, webappsec will and should follow the footsteps of network security. Although since a large portion of webappsec is probably social engineering, I don’t think it will all ever be solved. We can patch software, not humans.

Oh and it seems that Opera really is everywhere.

Here it is.

I just wrote a paper exclusively for SudoLabs.com. It’s about the worm I wrote targeting GaiaOnline.com,

aptly named ”gaiaworm”. This is the third version of the worm and the first time I’ve ever really written a paper.

Edit 1 - If you link to the paper, link to the blog post instead. I will be updating with links to who has published it as well as other updates. Thanks.

Edit - XSSed.com now has a copy of it. View it here.

– Edit 3, Apparently SudoLabs forums are dead for now. View the XSSed.com copy above!

Soon I’ll be releasing a small paper to Sudolabs.com and XSSED.com

Keep an eye out.

I figured this would happen for awhile, then he told us he was working on it, but here it finally is!

RSnake(a.k.a. Robert Hansen) has literally written the book on XSS. Well, he is a contributer as well as Seth Fogie, Jeremiah Grossman and Anton Rager. I’m really excited about this. According to the Amazon.com description, it covers the basics as well as some of the more bleeding-edge stuff. It’s set to release March 1, 2007.

You should go pre-order it now. I know I’ll be picking this up.

Jeremiah just posted the results of the Web Application Security Professionals Survey (I’m hereby shortening it to WASPS.)for Jan. 2007.

Rather interesting results coming in this time. First off, RSnake’s blog is apparently the most popular place for the web app sec guys that responded. Next off, there was an interesting question about AJAX.

  Does using Ajax technology open up new website attacks?

a) Yes (9%)
b) Yes, it adds some new things (35%)
c) No, but it increases the attacks surface (40%)
d) Nothing new here, move along (5%)
e) Other (9%)
No Answer (2%)

Now, that in itself isn’t too interesting, but there was a comment from one of the respondents that Jeremiah posted.

 ”It can increase the attack surface, but more importantly, Ajax technologies are being used to create better exploits. Focusing on whether using Ajax technologies creates new vulnerabilities is causing many people to look the wrong way when crossing the road.”

I totally agree with this one. I haven’t used Ajax for developing web applications at all. I find most of it can be done on the server side. On the other hand, I can use the XHR object to easily and quietly execute some actions on behalf of the afflicted user, such as propagating an XSS worm.

Another quick interesting note, only 2% of respondents said they thought browser security was rock-solid. Everyone but those 2% I agree with. I really think something we need to work on is some sort of client-side protection. It’s much more difficult to teach every single developer secure coding practices than to develop an anti-XSS Firefox Extension. We really need to get the browser community working on this.

While checking out the new Themes and Widgets on these WordPress.com blogs, I noticed they had implemented Snap Preview. Snap is a fairly promising search engine, that has the feature of Javascript based link previews on any page.

These ’Snap’shots are presumably identical to the ones the search engine itself uses.

(It allows for previewing of search results for ease of use)

Now, this is all fairly harmless and seemingly pointless, except that it seems they not only use a Gecko-based browser,(probably Firefox) to spider(or at the least, take their snapshots) sites.

Take a look at this screenshot of a MySpace page with an older persistant XSS on it.

As you can see, there is an Alert() in the Snap Preview.

I knew Google indexes XSS, but actually running the JS seems like bad practice…