ssl certificate spoofing

New SSL Vulnerabilities – Spoofing CA Certificates

OpenSSL is a widespread, open-source SSL protocol application and is widespread and used by numerous projects and organization for providing rapid, adaptable and “secure” solution.

OpenSSL has recently reached headlines again, but on a bad note. As of late (the past two years or so), the older and current versions of SSL have suffered from application issues that were considered critical and which lead to the exposure of almost all SSL-based projects (not to be confused with protocol-level issues such as POODLE and BEAST attacks).

Read more

android_dude

Android Application Security Sucks! Here’s what to do about it

Prologue: The following post was written and published by Checkmarx (link) on their website as part of a collaboration between AppSec Labs and Checkmarx. Originally published on May 26th, 2015 by Amit Ashbel.

 

Android…. It is no longer just a mobile phone.

Nowadays Android applications are running anywhere and everywhere. Home Appliances, watches, TVs, car applications and with the Internet of Things kicking in quickly, Android applications will probably become even more prevalent in our lives.

android_dudeAndroid is based on a customized Linux OS version. The main differentiation from the classic PC Linux is that the Android OS was adapted to define every Application on the device as a separate User or entity.

Each Application runs on its own Virtual environment within the  OS called a “Dalvik Machine (DVM)”*. Application code written in Java is modified to Java Byte Code and then converted to DEX (Dalvik byte code). The DVM will generate, on the fly, machine specific instructions to the ARM CPU (or other CPU in use). All Android applications are packaged as an APK (Android Application Package). The APK is a type of archived file which contains everything the android device needs in order to execute the application downloaded via the Google Play store or an alternate source.

*Dalvik is being shifted aside (Android L). Newer Android OS versions are using ART (Android Runtime) however the general idea stays the same.

Read more

Android 5 security updates

Android 5.x Application-Security-related updates

Hi

I just copied and summarized the security-related changed in Android 4.4, 5.0 and 5.1. Enjoy guys!

  

Custom permission

Android 5.0 prevents the installation of apps if they define a custom permission that is already defined by an existing resident app.

 

Web view

The WebView default behavior was changed to block mixed content. Please do not use: setMixedContentMode..

 

SSL default configuration

Android 5.0 introduces changes to the default TLS/SSL configuration used by apps for HTTPS and other TLS/SSL traffic:

  • TLSv1.2 and TLSv1.1 protocols are now enabled
  • AES-GCM (AEAD) cipher suites are now enabled
  • MD5, 3DES, export, and static key ECDH cipher suites are now disabled
  • Forward Secrecy cipher suites (ECDHE and DHE) are preferred

 
Read more

freak-ssl-tls-vulnerability

SSL FREAK Vulnerablity

As security experts, AppSec Labs can help you protect against SSL based attacks as well as keeping our website, www.appsec-labs.com safe from these attacks.

SSL/TLS is a transport encryption protocol which is used by most applications and infrastructure to provide confidentiality and integrity for safe communication between a client and a server.

Read more

10_30_21_v_1

Online ClickJacking/UI redressing PoC Tester

AppSec Labs is proud to introduce the ClickJacking Tester – a tool which is designed to allow information security specialists around the world to easily check online whether their websites are vulnerable to ClickJacking/UI redressing attack:

http://online.attacker-site.com/html5/ClickjackingTester/

Untitled

How to Use:

  1. Open the tool in your browser.
  2. Enter your website’s URL in the text box.
  3. Check “add allow-forms to Iframe” box in order to add the ‘allow-forms in the sandbox’ attribute in case it is necessary.
  4. Hit ‘enter’ or click submit button.
  5. If the page is vulnerable, it will be displayed in the window on the left side of the testing page.
  6. Take a screenshot for your PoC and enjoy!

Read more

7

AppUse and Server-Side Attacks on Android Applications

Introduction

We all know our smartphones contain a lot of sensitive information about us, from credit card details through WhatsApp correspondence, our location, pictures and more.

Today we see serious development of the telephony field; banks and credit card companies are developing account management telephone applications, chat applications which hold a history of our conversations, and much more important information of ours is managed by the smartphone.

The Android operating system (OS) architecture allows the programmer to broadly manage the information; to create components which are accessible to other applications on the device, to save data in dangerous locations and so information can easily be managed incorrectly. In addition, many programmers who have always developed server-side applications are now faced with the need to develop client-side applications and are not aware of the possible risk – which, in turn, increases the known attacking surface available to the attacker.

When a tester performs a penetration test to an Android application, it is divided into to two main areas:

  • Client-Side Attacks – include client-side vulnerabilities such as saving sensitive information in a dangerous manner, saving passwords in the code, manipulation of activities, broadcast receivers, etc.
  • Server-Side Attacks – include applicative server-side vulnerabilities such as XSS, SQLi, Authorization Bypass, Authentication Bypass, etc.

Read more

sony-hacked

The Truth Behind the Sony Cyber Attack

In recent years, Sony Pictures Entertainment has been one of the most highly targeted companies by cyber crime groups.

aaaaaaaaa

The last months of the year 2014 were very tough on Sony, after a cybercriminal group which identifies itself as GOP (Guardians of Peace) performed the biggest cyber-attack on Sony Pictures Entertainment. In this article I will make a short summary of the attack:

When Sony Pictures employees came into the office on Monday, November 24th 2014, they discovered that their corporate network had been hacked. The attackers had left messages threatening to release sensitive information if Sony didn’t comply with the attackers’ demands; All Sony employees found the same message on their computer screens (see the above picture)

 

The GOP hacker group claimed responsibility for the hack and had apparently stolen reams of internal corporate data as well. GOP leaked the movies AnnieFuryStill AliceMr. Turner and To Write Love on Her Arms to the internet on Black Friday.

The massive data breach at Sony appeared to have exposed more sensitive documents, revealing the US Social Security Numbers of more than 47,000 celebrities as well as freelancers, current and former Sony employees. Employees at Sony Pictures Entertainment were sent a threatening email by the GOP. The e-mail was written in English and asked the company employees:

“Please sign your name to object the false (sic) of the company at the email address below, if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.”

A number of DDOS attacks (Distributed Denial-of-Service attack is an attempt to make a machine or network resource unavailable to its intended users) were launched against Sony servers by several hackers groups.

Read more