Resident XSS – Reflected Becomes Stored Thanks to HTML5

/2 Comments/in , /by

HTML5 is the newest version of the HTML. It offers new features that enhance support for creating web applications that can interact with the user and his/her local data and servers. HTML5 successfully does this more easily and effectively than has previously been possible.

In this article we will focus on the new client storage offered by HTML5. The new HTML provides us with the Local & Session Storage, which can hold  15MB and more of client data. The differences between them is that the Local Storage can be accessed from any window, while the Session Storage can by read/modified by the same window only. Additionally, the data within the Session Storage will be automatically deleted when the window is closed, whilst deletion of the data in the Local Storage must be done manually.

Let’s say that the web application stores your account number, the SessionId, username, and some other data that will be read later on in order to display the data without sending requests to the server. The website takes the data it previously entered to the storage and displays it when the page renders. This is how the page looks normally, along with the original information stored in the sessionStorage:

ScreenShot138(Click on the image to enlarge)

Notice that the message within the speech bubble takes its information from the Session Storage, as can be seen in the above image, right below the page. You can access the page’s Resources tab using Chrome’s Developer tools (a.k.a Inspect Element).

We can assume that the page’s code behind it looks something like this when retrieving the data from the Session Storage:
<script>
   var username = window.sessionStorage.getItem(“username”);
   var speech = window.sessionStorage.getItem(“Speech-of-the-day”);
   var action = window.sessionStorage.getItem(“Random-action”);
</script>

If this website is vulnerable to a Reflected XSS (which in the regular case would be executed once on the response that includes it) and if the website does not perform client-side encoding (escaping), then this Reflected XSS can become a Stored XSS.

Read more

The reason why your exploit does not work

/0 Comments/in , /by

This post will explain to you, why it is that in Java most of the command line injection vulnerabilities in most common cases could not be exploited with:

  • && dir
  • ; ls

 

There are two options for running a command:

  1. Send the whole command to the OS shell (CMD or /bin/sh) and let Java parse & run it.
  2. Split the words of the command into an array, execute the first word, and pass the rest as parameters.

 

The difference is when, for example, the command is:

Notepad.exe a.txt && dir

The first method will run both commands (open  Notepad with the file a.txt and, if it will succeed, run the command dir). The second method will pass the ‘&&’ and ‘dir’ as  parameters to the notepad.exe program. Therefore, ‘&&’ and ‘dir’ will not run.

This is also the difference between the ‘system’ function in C language which works as the first method, and ‘Runtime.exec’ function in Java which works with the second method.

Read more

X-Frame-Option is dead, long live Content Security Policy!

/3 Comments/in /by

Clickjacking, (A.K.A UI Redress attack) is an attack in which an attacker utilizes multiple transparent or opaque layers in order to trick a client into clicking on a button or link on a different page; they are then mislead to think they were clicking the top level page link. Accordingly, the attacker is “hijacking” clicks meant for their page and routing them to the other, probably owned by another application and/or domain. With a carefully crafted combination of stylesheets, iframes, and text boxes, users can also be led to believe they are typing in the password to their own email or bank account,rather than typing into an invisible frame controlled by the attacker.

Existing anti-clickjacking measures include frame-busting codes and X-Frame-Options, yet it cannot be used to protect resources where the set of origins that ought to be permitted and denied is unknown, where attacks may originate from origins expected to be permitted by a use scenario, or defend against timing-based attacks which include multiple windows rather than multiple frames. Frame-busting scripts also rely on browser behavior that has not been designed to provide a security ensure. As a consequence, such scripts may be unreliable if loaded inside a sandbox or otherwise disabled.

Content Security Policy (CSP) is a declarative policy that lets a web application restrict the behavior of a document, e.g. the origins where it can load its resources from or the ways it can execute scripts. By controlling the presentation or the interactivity of a resource when its interacts with the user, it may be used  in an ambiguous or deceitful context due to the spatial and/or transient contiguity with other content displayed by the user agent.

Read more

Erez Metula is presenting at the International 2014 Cyber Security Summit in Tel Aviv, Israel

/0 Comments/in , , /by

On January 16th, 2014, Erez will be giving an important presentation on Android Hacking in Mobile Application Security.

Full logistical details can be found here: http://cyber-security-tlv-summit.events.co.il/save-the-date

CYBERSEC-LUZ

We’d love to see everyone there and we’re looking forward to the exchange of ideas. For now, take a look at the  Synopsis so you have an idea of what’s ahead!

 Synopsis of his upcoming speech:

The mobile apps revolution has completely changed the way we use our mobile devices, that up until  recently were used just to make phone calls. Mobile applications nowadays handle our most sensitive data –  phone calls, SMS text messages, geographic location, financial information, internet browsing, etc., but the  question is “How can we really tell how secure are those applications? Who can assure us they are not spying on  us? Or, can it be abused by other applications taking advantage of security vulnerabilities in those apps?”

During this presentation we will answer such questions, while focusing on Android mobile applications. We will  start by describing the threat model of mobile apps vs. traditional apps, then we’ll demonstrate a couple of  common application level vulnerabilities, and the tools/techniques used to expose them.

Participants of this presentation will also witness the usage of the AppUse Android Penetration Testing VM – an open source virtual machine created by AppSec Labs for the sole purpose of pentesting Android applications.

 

Getting to know our experts: Chilik Tamir

/0 Comments/in , /by

Over the last few years AppSec Labs has been building a strong reputation for excellence in the field of Application Security. We offer services including pen-testing and full code review. As we’ve grown we’ve increased our experience, branching not only from pen-testing, but to in-company training and e-learning. We’ve developed a product line in e-learning which we are selling world-wide, and we’re expanding our market.

So, it’s about time that we show you who we are and what motivates us to do what we do. This will be the start to a few blog interviews letting you (our community) get to know us (your community) BETTER. We hope you enjoy hearing more about us and we look forward to hearing more from you.

Keep in touch with us via Twitter and Facebook!

@AppSecLabs

https://www.facebook.com/AppsecLabs

https://www.youtube.com/user/AppSecLabs/videos

Author: Jessie A. Pincus, International Sales Director and Academic Director, AppSec Labs

Getting to Know our Experts:

Chilik Tamir, Chief Scientist, AppSec Labs

Question: How did you originally get into the field of Cyber Security?
Chilik: It was a hobby that became a job.  I saw the WarGames movie back in the 1980’s and it intrigued me.

Question: Since you focus your research on the Apple iOS platform, what do you see as its main vulnerabilities, and where has it improved or made changes to compensate?
Chilik: Apple is beginning to implement security features that are set to ‘ON’ as the default setting, instead of relying on developers to officially turn them on. The pairing notification message and the protection class encryption are enabled by default. Until iOS 7 they weren’t enabled by default.

Question: What aspect of the field of Cyber Security initially grabbed your attention and made you say “I want to work in that field.”?​

Read more

Getting to Know Our Experts: Erez Metula

/1 Comment/in , /by
Blackhat 2013. Las Vegas, Nevada

Blackhat 2013. Las Vegas, Nevada

Over the last few years AppSec Labs has been building a strong reputation for excellence in the field of Application Security. We offer services including penetration testing and full code review. As we’ve grown we’ve increased our experience, branching from pen-testing to in-company application security training and e-learning. We’ve developed a product line in e-learning which we are selling world-wide, and we’re expanding our market.

So, it’s about time that we show you who we are and what motivates us to do what we do. This will be the start to a few blog interviews letting you (our community) get to know us (your community) BETTER. We hope you enjoy hearing more about us and we look forward to hearing more from you.

Keep in touch with us via Twitter, Facebook, and YouTube!

@AppSecLabs

https://www.facebook.com/AppsecLabs

https://www.youtube.com/user/AppSecLabs/videos

 

Author: Jessie A. Pincus, International Sales Director and Academic Director, AppSec Labs

Getting to Know our Experts:
Erez Metula, Application Security Expert, Founder of AppSec Labs

Jessie Asks: How did you originally get into the field of Cyber Security?
Erez Answers: I started coding at the age of 12. I was very interested in the subject of gaming and I got frustrated when I had to bypass stages in order to continue. So, I wondered how I could do it and I thus got into hacking and patching. Once I learned more I understood that it was all about coding. In order to do it properly I needed to be a developer, so I started learning Computer Science.

Jessie Asks: What aspect of the field of Cyber Security initially grabbed your attention and made you say “I want to work in that field.”?

Read more

SSL Vulnerabilities Analyzer 1.1 published

/0 Comments/in , /by

Hi people

After a few months of work and research we have updated the SSL Analyzer tool to version 1.1. So, here is a description about the SSL Analyzer and who should use it.

SSL Vulnerabilities Analyzer

What is it?

This tool was created for penetration testers and for site administrations who want to check if their server allows usage of insecure SSL algorithms.

SSL did not allow attackers to read/change the traffic between the client (computer/mobile browser) and the server, if the server allows insecure algorithms, the attacker can force the browser to use them and break the encryption (as they are named, they are insecure algorithms…).

Easy to use

SSL Vulnerabilities Analyzer has a nice interactive tool that makes it easy to run and check if the server contains insecure algorithms also for non-technical people.

Source code

SSL vulnerabilities analyzer shared with his source code under GPL v3 license, as a gift back to the open source community.

Download

You can download the current version (1.1) from here: SSL Analyzer version 1.1 zip

For more details, source code and versions, please visit the dedicated area in our website: https://appsec-labs.com/SSL_Analyzer

Read more

Wardriving? Apple? Really ??

/0 Comments/in , , /by

Advanced iPhone Hacking with iNalyzer

/2 Comments/in , , , /by

The slides from my OWASP Israel 2012 talk “Advanced iPhone Hacking with iNalyzer” have been uploaded and are available here.

iNalyzer iPhone testing tool that was presented in the talk can be downloaded directly from Here (You will need Graphviz Dot and Doxygen installed on your PC/Laptop )
Here is an Installation Video (currently no Sound..)
iNalyzer Installation and usage

Here is a small demo of iNalyzer Vs. iSafePlay
iNalyzer Vs. iSafePlay
Enjoy,
Chilik

Domain hijacking & Range attack by cPanel

/0 Comments/in , /by

cPanel navigates the requests that are sent to the server to the correct account according to domain. Of course, the account owner must declare that the domain belongs to him. In order to ensure that the domain does, in fact, belong to him, cPanel offers two options (without EPP code):

1. To refer the domain DNS to the DNS storage server.

2. To create a randomly-named file on the domain, created by cPanel, which is unique per-user.

cPanel assign domain options

I will go into some detail regarding the first option.

Read more