RETURN $ecure;

Security, Technology and Life

WASWiki and my return.

with one comment

I was going to originally post about ideas for learning grounds for web application security. But the sla.ckers IRC(#slackers on irc.irchighway.net), pointed me first to OWASP. I realized this was quite a goldmine of information already, but it doesn’t seem too newb friendly, plus much of it seems to be theory more than direct examples. So then kuza55 reminded me of webappsecwiki.com. It’s pretty bare, but I believe we can turn this site into a more practical learning site. It’s already going in the correct direction in my opinion.

Anyways, enough my my dreams of grandeur, I am going to start getting back into web application security. Aside from the trusted third party whitelisting issues(otherwise known as XSSing YouTube Mods) I talked about in the #slackers channel, I have not contributed much lately. Things are yet again more stable in my life so I have time to do research and whatnot now. I’m going to start using WordPress.com again for various reasons. First, it’s easier than hosting my own, although it may incur some security issues, I’m sure it will be nothing major. Secondly, it’s already linked to by several people. It has some PR. So I hope to be able to contribute more soon!

Written by Rodney G

11/13/2007 at 11:35 pm

Posted in Life, Security

Tagged with , ,

The Murky Science of Web Application Security

with 2 comments

Jeremiah had a talk with Simson Garfinkel about Web Application Security recently. You can read Jeremiah’s post here and the full article here.

There is nothing new at all from a security perspective in this article, but it really lives up to it’s name as an introduction to Web App Sec. It points out a few things we already knew, such as the scary fact that up to 80 percent of all websites suffer from some sort of vulnerability. The ones that don’t are mostly static html sites and have no complex backend, ‘brochure-ware’ as the article calls it.

It also elaborates on some of the issues that must be faced, such as a need for secure coding. It’s pretty bad practice in most cases,(but not all) to just slap on a WAF and hope for the best. As this quote points out..

 Yes, it would be nice to eliminate these well-known bugs with better coding practices. But we live in the real world. It’s better to look for the bugs and fix them than to simply cross your fingers and hope that they aren’t there.

So all in all, if you’re a frustrated web app sec guy, this is a great article to show the higher ups. Murky indeed. As RSnake would say, clear as mud?

Written by Rodney G

05/14/2007 at 11:00 am

Posted in Uncategorized

Tagged with

Opera to support HttpOnly

with 3 comments

Heya. I haven’t blogged in awhile but I do want to start getting back into it.

So, we’ll start with something small.

I read this article the other day about updates coming to Opera in 9.5 and was pleasantly suprised to read that it will support HttpOnly cookies. Now, if you don’t know what that is I’ll give a quick run-down. Normally, cookies are able to be accessed through scripts with things like document.cookie in JavaScript. Along with the normal cookie header, in Set-Cookie you can set it to HttpOnly. This means the cookie cannot normally be read from means other than sending it in an Http Request. This slightly mitigates using XSS to steal credentials as you can no longer read the cookie with JavaScript and send it out, but obviously doesn’t stop phishing via any means. Many sites do use HttpOnly cookies but currently,  only Internet Explorer supports it. If you use a browser that doesn’t support it,  it simply is downgraded to a normal cookie. To be fair, Firefox 3 is planned to have support for it as well but it seems 9.5 will be out before FF3. At any rate, while this won’t stop XSS, it basically eliminates the risk of cookie theft.

Just remember though, cookie theft isn’t the only credentials that can be stolen with XSS or other methods. ‘Dynamic’ phishing methods that don’t rely on a third-party site are still somewhat hard to detect and should be watched out for.

Written by Rodney G

05/10/2007 at 1:37 pm

Posted in Uncategorized

Tagged with , , ,

Stolen history without Javascript and some news

with one comment

RSnake has writte up an excellent post on stealing a users browsing history without the use of Javascript. Apparently though, there was an obscure, though similar paper written before this. According to Mephisto in the comments, this detects history through multiple instances
of the browser. Probably because the browser gets updated and the site is 
using the visited: CSS if you visit it in once instance. Anyways, interesting stuff. Don’t forget to get the XSS book tomorrow!

Also, I’ve set up a new forum on one of my spare machines.
It’s not particularly secure right now as it’s using Debian packages. They tend to be a little out of date. But at least it’s stable. I’ll be making semi-regular backups, so it won’t be a huge issue if it’s hacked. Assuming your DNS updated by the time you read this, it should be at Kyran.ca. You’ll probably also notice the banner on the right. Yup. Easier sign-up for e-mails @kyran.ca

Written by Rodney G

02/28/2007 at 9:49 pm

Posted in Uncategorized

Tagged with ,

A thousand dollars and a fancy phone.

with one comment

 There was an article going around on a few sites today about Acunetix stating that 70% of websites are at immediate risk of being breached. Soon after, Joe Snyder not only disputed this claim, but bet Acunetix 1000$ they couldn’t compromise 3 out of 10 sites. I could use a thousand bucks and I bet even randomly selected I could get at least 5 out of 10 sites. RSnake wrote a post with a bit more info.

Also, Iwatsu selected Opera for use in their new VoIP phone. From the press release,

PRECOT (Premium Communication Tool) is a next generation solution over a broadband IP connection for the enterprise market. With Opera, PRECOT users can access Web mail or any Web page from the convenience of their screen phones.

It will also have phone to tag support, which basically turns any numbers formatted like a phone number into a link, when it’s clicked the phone will call it. Pretty nifty stuff.

Too bad I dislike phones.

Written by Rodney G

02/14/2007 at 10:33 am

Posted in Uncategorized

Tagged with , ,

[Paper] Anatomy of a Worm

with 2 comments

Here it is.

I just wrote a paper exclusively for SudoLabs.com. It’s about the worm I wrote targeting GaiaOnline.com,

aptly named “gaiaworm”. This is the third version of the worm and the first time I’ve ever really written a paper.

Edit 1 – If you link to the paper, link to the blog post instead. I will be updating with links to who has published it as well as other updates. Thanks.

Edit – XSSed.com now has a copy of it. View it here.

— Edit 3, Apparently SudoLabs forums are dead for now. View the XSSed.com copy above!

Written by Rodney G

02/10/2007 at 1:26 am

Posted in Uncategorized

Tagged with

Keep an eye out.

leave a comment »

Soon I’ll be releasing a small paper to Sudolabs.com and XSSED.com

Keep an eye out.

Written by Rodney G

02/9/2007 at 12:59 am

Posted in Uncategorized

Tagged with