New SSL Vulnerabilities – Spoofing CA Certificates

OpenSSL is a widespread, open-source SSL protocol application and is widespread and used by numerous projects and organization for providing rapid, adaptable and “secure” solution.

OpenSSL has recently reached headlines again, but on a bad note. As of late (the past two years or so), the older and current versions of SSL have suffered from application issues that were considered critical and which lead to the exposure of almost all SSL-based projects (not to be confused with protocol-level issues such as POODLE and BEAST attacks).

Read more

Android Application Security Sucks! Here’s what to do about it

Prologue: The following post was written and published by Checkmarx (link) on their website as part of a collaboration between AppSec Labs and Checkmarx. Originally published on May 26th, 2015 by Amit Ashbel.

 

Android…. It is no longer just a mobile phone.

Nowadays Android applications are running anywhere and everywhere. Home Appliances, watches, TVs, car applications and with the Internet of Things kicking in quickly, Android applications will probably become even more prevalent in our lives.

android_dudeAndroid is based on a customized Linux OS version. The main differentiation from the classic PC Linux is that the Android OS was adapted to define every Application on the device as a separate User or entity.

Each Application runs on its own Virtual environment within the  OS called a “Dalvik Machine (DVM)”*. Application code written in Java is modified to Java Byte Code and then converted to DEX (Dalvik byte code). The DVM will generate, on the fly, machine specific instructions to the ARM CPU (or other CPU in use). All Android applications are packaged as an APK (Android Application Package). The APK is a type of archived file which contains everything the android device needs in order to execute the application downloaded via the Google Play store or an alternate source.

*Dalvik is being shifted aside (Android L). Newer Android OS versions are using ART (Android Runtime) however the general idea stays the same.

Read more

cert

OpenSSL – Diffie Hellman and Elliptic Curve Cryptography with Digital Certificates

OpenSSL is a leading open-source SSL solution that offers many features; from client and server communication, to certificates generation and self-signing. The OpenSSL allows a user to issue CA certificates and use them to sign other certificates for both testing and production scenarios. Visit OpenSSL website: https://www.openssl.org/
Read more

Autorize – Automatic authorization enforcement detection extension for burp suite

Autorize is an automatic authorization enforcement detection extension for Burp Suite. It was written in Python by Barak Tawily, an application security expert at AppSec Labs. Autorize was designed to help security testers by performing automatic authorization tests.

Download Autorize from Github: https://github.com/Quitten/Autorize

alt tag Read more

Android 5.x Application-Security-related updates

Hi

I just copied and summarized the security-related changed in Android 4.4, 5.0 and 5.1. Enjoy guys!

  

Custom permission

Android 5.0 prevents the installation of apps if they define a custom permission that is already defined by an existing resident app.

 

Web view

The WebView default behavior was changed to block mixed content. Please do not use: setMixedContentMode..

 

SSL default configuration

Android 5.0 introduces changes to the default TLS/SSL configuration used by apps for HTTPS and other TLS/SSL traffic:

  • TLSv1.2 and TLSv1.1 protocols are now enabled
  • AES-GCM (AEAD) cipher suites are now enabled
  • MD5, 3DES, export, and static key ECDH cipher suites are now disabled
  • Forward Secrecy cipher suites (ECDHE and DHE) are preferred

 
Read more

SSL FREAK Vulnerablity

As security experts, AppSec Labs can help you protect against SSL based attacks as well as keeping our website, www.appsec-labs.com safe from these attacks.

SSL/TLS is a transport encryption protocol which is used by most applications and infrastructure to provide confidentiality and integrity for safe communication between a client and a server.

Read more

Online ClickJacking/UI redressing PoC Tester

AppSec Labs is proud to introduce the ClickJacking Tester – a tool which is designed to allow information security specialists around the world to easily check online whether their websites are vulnerable to ClickJacking/UI redressing attack:

http://online.attacker-site.com/html5/ClickjackingTester/

Untitled

How to Use:

  1. Open the tool in your browser.
  2. Enter your website’s URL in the text box.
  3. Check “add allow-forms to Iframe” box in order to add the ‘allow-forms in the sandbox’ attribute in case it is necessary.
  4. Hit ‘enter’ or click submit button.
  5. If the page is vulnerable, it will be displayed in the window on the left side of the testing page.
  6. Take a screenshot for your PoC and enjoy!

Read more

The Truth Behind the Sony Cyber Attack

In recent years, Sony Pictures Entertainment has been one of the most highly targeted companies by cyber crime groups.

aaaaaaaaa

The last months of the year 2014 were very tough on Sony, after a cybercriminal group which identifies itself as GOP (Guardians of Peace) performed the biggest cyber-attack on Sony Pictures Entertainment. In this article I will make a short summary of the attack:

When Sony Pictures employees came into the office on Monday, November 24th 2014, they discovered that their corporate network had been hacked. The attackers had left messages threatening to release sensitive information if Sony didn’t comply with the attackers’ demands; All Sony employees found the same message on their computer screens (see the above picture)

 

The GOP hacker group claimed responsibility for the hack and had apparently stolen reams of internal corporate data as well. GOP leaked the movies AnnieFuryStill AliceMr. Turner and To Write Love on Her Arms to the internet on Black Friday.

The massive data breach at Sony appeared to have exposed more sensitive documents, revealing the US Social Security Numbers of more than 47,000 celebrities as well as freelancers, current and former Sony employees. Employees at Sony Pictures Entertainment were sent a threatening email by the GOP. The e-mail was written in English and asked the company employees:

“Please sign your name to object the false (sic) of the company at the email address below, if you don’t want to suffer damage. If you don’t, not only you but your family will be in danger.”

A number of DDOS attacks (Distributed Denial-of-Service attack is an attempt to make a machine or network resource unavailable to its intended users) were launched against Sony servers by several hackers groups.

Read more

AliExpress hacked – the entire story

Introduction

As you may have heard it was recently advertised that AliExpress, one of the world’s largest online shopping websites, was found to have substantial security shortcomings. As one of the people who discovered the vulnerability, I would like to take this opportunity to discuss the vulnerability I detected in this blog post.

A few months ago, I purchased a few items from the AliExpress website. After the purchase, I sent a message to the seller in order to ask him a question regarding the items. From my experience as an application security expert in AppSec Labs, I had suspected that it might be vulnerable to a certain security breach, and so I started to investigate the issue locally and without, of course, harming the system or its users.

After a short investigation, I had concluded that any buyer in the website can browse to any item and can send a message to the seller using the “Contact Now” feature; this feature can be abused by a malicious buyer who could send a message to the seller containing a malicious payload.
Read more

Protecting a Windows application from premature termination

Have you ever written a Windows app that works on a specific and very important task that must be completed, but then someone force-closes it?

One solution would be to send a request to the user that asks the user not to force-close the app. Unfortunately, this doesn’t usually work.

There is a cool “trick” you can do to make sure no one will close that important app, or get a BSOD (Blue Screen Of Death), that is unknown to most programmers. This cool trick is called NtSetInformationProcess.

Some OS (Operating System) processes, such as Csrss.exe (Client Server Runtime Process), are considered critical for the normal function of the OS and closing them would crash the system in order to avoid any abnormal behavior.
Read more