7

AppUse and Server-Side Attacks on Android Applications

Introduction

We all know our smartphones contain a lot of sensitive information about us, from credit card details through WhatsApp correspondence, our location, pictures and more.

Today we see serious development of the telephony field; banks and credit card companies are developing account management telephone applications, chat applications which hold a history of our conversations, and much more important information of ours is managed by the smartphone.

The Android operating system (OS) architecture allows the programmer to broadly manage the information; to create components which are accessible to other applications on the device, to save data in dangerous locations and so information can easily be managed incorrectly. In addition, many programmers who have always developed server-side applications are now faced with the need to develop client-side applications and are not aware of the possible risk – which, in turn, increases the known attacking surface available to the attacker.

When a tester performs a penetration test to an Android application, it is divided into to two main areas:

  • Client-Side Attacks – include client-side vulnerabilities such as saving sensitive information in a dangerous manner, saving passwords in the code, manipulation of activities, broadcast receivers, etc.
  • Server-Side Attacks – include applicative server-side vulnerabilities such as XSS, SQLi, Authorization Bypass, Authentication Bypass, etc.

Read more

The Truth Behind the Sony Cyber Attack

In recent years, Sony Pictures Entertainment has been one of the most highly targeted companies by cyber crime groups.

aaaaaaaaa

The last months of the year 2014 were very tough on Sony, after a cybercriminal group which identifies itself as GOP (Guardians of Peace) performed the biggest cyber-attack on Sony Pictures Entertainment. In this article I will make a short summary of the attack:

When Sony Pictures employees came into the office on Monday, November 24th 2014, they discovered that their corporate network had been hacked. The attackers had left messages threatening to release sensitive information if Sony didn’t comply with the attackers’ demands; All Sony employees found the same message on their computer screens (see the above picture)

 

The GOP hacker group claimed responsibility for the hack and had apparently stolen reams of internal corporate data as well. GOP leaked the movies AnnieFuryStill AliceMr. Turner and To Write Love on Her Arms to the internet on Black Friday.

The massive data breach at Sony appeared to have exposed more sensitive documents, revealing the US Social Security Numbers of more than 47,000 celebrities as well as freelancers, current and former Sony employees. Employees at Sony Pictures Entertainment were sent a threatening email by the GOP. The e-mail was written in English and asked the company employees:

“Please sign your name to object the false (sic) of the company at the email address below, if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.”

A number of DDOS attacks (Distributed Denial-of-Service attack is an attempt to make a machine or network resource unavailable to its intended users) were launched against Sony servers by several hackers groups.

  Read more

screen-shot-2014-09-30-at-8-56-25-pm

iOS: “I just snapshotted your credit card… I did it for you!”

Does your application have a page containing sensitive data such as personal or business information? Credit card numbers? Any financial or legal information? You should be aware that when the user presses the iPhone’s home button, and your application performs backgrounding, iOS takes a snapshot of the current page and stores it insecurely on the device. Why? To create an “animation” when the application shrinks into the background and to expand back to the screen, when the user selects it again. If the last page contained sensitive information, this information could be easily stolen. Violation of the user’s privacy and business information leakage are just two of the security impacts it may cause.

This is how its done:
1. The user launches your app, and goes to a page containing sensitive information.
2. The user receives a call, or decided himself to press the home button, and send your app into the background.
3. iOS takes a snapshot of the last pages, for animation… this is how it looks:

stage1 stage2 stage3

Now, lets take a look at the application folder on the device. We’ll go to:
{YOUR_APP_UUID}/Library/Caches/Snapshots/
There we can see the file: UIApplicationAutomaticSnapshotDefault-Portrait@2x.png.
Opening it, will reveal all the data that appeared on the last page visited in our app, before going into background.

What can we do about it?

Well… I’m glad you asked! There are a few ways to deal with this issue. Here,I will explain four of them:
Read more

AliBaBa-AliExpress-Data-Breach

AliExpress hacked – the entire story

Introduction

As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the vulnerability, I would like to take this opportunity to discuss the vulnerability I detected in this blog post.

A few months ago, I purchased a few items from the AliExpress website. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert in AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally and without, of course, harming the system or its users.

After a short investigation, I had concluded that any buyer in the website can browse to any item and can send a message to the seller using the “Contact Now” feature; this feature can be abused by a malicious buyer who could send a message to the seller containing a malicious payload.
Read more

Protecting a Windows application from premature termination

Have you ever written a Windows app that works on a specific and very important task that must be completed, but then someone force-closes it?

One solution would be to send a request to the user that asks the user not to force-close the app. Unfortunately, this doesn’t usually work.

There is a cool “trick” you can do to make sure no one will close that important app, or get a BSOD (Blue Screen Of Death), that is unknown to most programmers. This cool trick is called NtSetInformationProcess.

Some OS (Operating System) processes, such as Csrss.exe (Client Server Runtime Process), are considered critical for the normal function of the OS and closing them would crash the system in order to avoid any abnormal behavior.
Read more

password

Auto Complete Vulnerabilities and Chrome workaround

Today’s post will discuss auto-complete vulnerabilities that Chrome does not support or manage properly. The good news is there is a workaround method and we’ll go over how to do it step by step. Read on for the details.

What are the Auto Complete Vulnerabilities?

There are two main security issues we need to discuss:

  1. Auto complete for text fields

Credit card fields (always considered text fields) are always vulnerable. If you do not employ methods for protection, then after the user sends the form, the credit card number will be automatically saved by the browser’s auto-complete feature, as demonstrated in the following image:

auto_complete_1

The next person to use the computer will be able to browse to the same page andsee the saved cc number.

 

  1. Auto complete for password fields

For example, in Login forms.  After the login form is sent, Chrome suggests the user to save his password. In sensitive systems, It is recommended to prevent the browser from suggest it.

auto_complete_2

 

Now let’s go over the details on how to follow these recommendations.

Auto complete mitigation for text fields

The mitigation for AutoComplete on text fields is easy. Add the following attribute autocomplete=”off” to the relevant text fields. For example:

<input type=”text” name=”cc” autocomplete=”off” />

With this attribute, the browser will not save the data that the user entered into these fields in its AutoComplete feature.

 

Auto complete mitigation for password fields

The mitigation for password fields differs depending on the browser and its version.

In short, some browsers support the AutoComplete attribute into the password field just like in the text field:

<input type=”password” name=”pass” autocomplete=”off” />

Some browsers require the autocomplete being in the form of a tag:

<form action=”/xyz” method=”post” autocomplete=”off”>

But… Chrome does not support either.

 

Chrome and AutoComplete for password fields

The workaround that we found for Google Chrome is detailed here: (found by Simon: http://stackoverflow.com/a/22694173). What must be done is to add a hidden password field before the real password field. Chrome detects that the first password field (the hidden one) is empty, and processes it as the user having left a blank open field in the password and does not suggest that he saves his password.

Code snippet:

auto_complete_3

So, those are the nitty gritty details. Now it’s your turn to test your own forms with multiple options in our online lab environment: http://online.attacker-site.com/pages/autocomplete/autocomplete.php

 

I hope this helps you, and please feel free to leave comments below. If you have ideas for our next blog post, just let us know.

Talk to you next time, Israel

oie_transparent (77)

Directory Listing

Description

Directory listing is a web server function that displays a list of all the files when there is no index file, such as index.php and default.asp in a specific website directory.

Some web administrators do not properly configure web servers to disable the Directory Listing or sometimes do not do it at all.

For instance, administrators may make complex configuration settings, such as to allow directory listing for particular directories or subdirectories. The improper configuration of this task might result in the unexpected and unintended enabling of listing of directories which contain sensitive information.

See how to fix it!

Read more

oie_transparent (77)

Cookie Secure Flag

Description

When a cookie is set with the Secure flag, it instructs the browser that the cookie can only be accessed over secure SSL channels. This is an important security protection for session cookies.

The secure flag is an option that can be set by the application server when sending a new cookie to the user within an HTTP Response. The purpose of the secure flag is to prevent cookies from being observed by unauthorized parties due to the transmission of the cookie in clear text.

See how to fix it!

Read more

oie_transparent (77)

Cookie – HttpOnly Flag

Description

When a cookie is set with the HTTPOnly flag, it instructs the browser that the cookie can only be accessed by the server and not by client-side scripts. This is an important security protection for session cookies.

If the HttpOnly flag (optional) is set, the cookie cannot be accessed through client-side script (again, if the browser supports this flag). As a result, even if a Cross-Site Scripting (XSS) flaw exists and a user accidentally accesses a link that exploits this flaw, the browser (primarily Internet Explorer) will not reveal the cookie to a third party.

See how to configure it!

Read more

appuse

How to connect a real device to AppUse

appsec_logo

 

In order to connect a real device you should do the following steps:

  1. Enable USB debugging mode:

a. Open your device’s “Settings.”
This can be done by pressing the Menu button while on your home screen and tapping “System Settings.”
b. Scroll to the bottom and tap “About phone.”
c. On the “About” screen, scroll to the bottom and tap on “Build number” seven times.
If you see the message “Not needed, you are already a developer!” pop up, then you know if the command succeeded.
Read more