RETURN $ecure;

Security, Technology and Life

Archive for the ‘Technology’ Category

90% Exploitable – Is this progress?

leave a comment »

It’s been nearly three years since many of us estimated that 9 out of 10 sites had at least one flaw while most had more. I have not been to active in the security world as of late ( though this will change soon! ), but I would have hoped we would have made some sort of progress. It seems XSS is still amazingly pervasive and CSRF; the now waking giant, is not far behind.

As Darkreading reports, WhiteHat has issued a press release which states that around 9 of 10 sites have at least one vulnerability while the average site has around six or seven.  I rarely seen WAF’s as the solution, but even over a few years — nearly eternity for the internet, little to no progress has been obviously made. So, perhaps it is finally time. In the whitehat’s defense though, the odds are amazingly against them. Over a hundred million sites operate now. That 1 of 10 sites that is safe is often brochure-ware. A site with little or no interactivity; static html on secure servers.

Perhaps we ARE making developers more security-minded and making progress. I do remember saying this awhile back.

Many sites are vulnerable to XSS, and since all Websites change, eventually another XSS hole will probably open up on sites previously thought [of as] safe.

This seems to remain fairly true today. The very nature of interactive websites tied along with them being revamped fairly often, means that it’s all very dynamic, thus apparently; very insecure.

Oh well. At least with my inactivity as of late, I won’t be heading to an early grave.

Written by Rodney G

04/10/2008 at 1:19 am

Posted in Security, Technology

Tagged with , , ,

CSRF ramblings

with one comment

I was reading over this post by Robert Hansen of SecTheory just after reading a post of mine about Opera phone integration. It got me to thinking, specifically this part.

It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.

That would be some damn interesting CSRF. Take control over the browser and force the loading of the phones calling directive(e.g. callto://). You could get a person to call your costly line while they are browsing the net. Use caller ID and add them to some sort of calling list. If the phone and browser are integrated enough, perhaps even steal some other data like contacts or service provider, or even their phone number if they have their number privately listed.

As if I needed another reason to hate phones.

Written by Rodney G

02/18/2008 at 7:41 pm