Computer Security Is My Interest!

Soroush Dalili’s Weblog

May 27

Cross Site URL Hijacking by using Error Object in Mozilla Firefox

My Advisories, Security Articles, Security Posts 2 Comments »

In this paper, I want to represent a method for performing Cross Site URL Hijacking (which we can call XSUH) by using the error object of Mozilla Firefox. XSUH attack is used to steal another website URL. This URL can show the client’s situation on that website, and it can contain confidential parameters such as session ID as well. There is another useful article with a similar purpose but with a different approach which is “XSHM” article of CHECKMARX , and reading this article is highly recommended to you as well.
As you might know, scripts error handling in Mozilla Firefox is quite useful for the developers as it can show the exact source of an error with some useful information. Now, this functionality can be misused to divulge the destination URL after the redirections (XSUH attack) which can lead to condition leakage or stealing some important parameters from the URL.

Download From Here: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf
Or Here: http://0me.me/demo/XSUH/XSUH_FF_1.pdf

Proof of Concept: http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html

Note: This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build5 (26th May 2010).

Tagged with: Cross Site URL Hijacking • Cross Site URL Hijacking by Error Object • XSUH by error object • XSUH in Mozilla Firefox

May 06

New Method: Role of the “/” character in mapping the website directories! – Webservers fault?

Security Articles, Security Posts No Comments »

One of the first steps of a black-box penetration testing of a website is mapping its files and directories. And in order to do that, security scanners crawl into the website first, and then try to guess the possible directories and files. These scanners use the response header or body of the page to investigate a valid file or directory. For instance, the header status “404” can be the sign of “File Not Found” and “200” can be the sign of a valid file. Also, the status “403 Forbidden” can be the sign of a valid directory without any index page. However, many websites such as Yahoo, Google, Facebook, Microsoft, and so on do not like to show the “403 Forbidden” errors for a valid directory, and instead, they show a “Page Not found” or another default page to the users. Although this functionality makes the website more user-friendly, it is not good for the scanners at all; as there is no difference between a valid and an invalid directory then.

Therefore, we need something else as a signature to improve the scanners result. And as a solution we can use a “/” as an identifier. In case of requesting a valid directory without adding a slash at the end of it, the web-server will add an slash automatically, and in case of having an invalid directory there will not be any slash at the end of the directory name.

Some examples:

Invalid Directory: http://www.microsoft.com/foobars

Valid Directory: http://www.microsoft.com/test

——–

Invalid Directory: http://code.google.com/foobars

Valid Directory: http://code.google.com/js

——–

Invalid Directory: http://www.facebook.com/foobars

Valid Directory: http://www.facebook.com/admin

——–

Invalid Directory: http://uk.yahoo.com/foobars

Valid Directory: http://uk.yahoo.com/private

——–

Cheers,

Soroush Dalili

Tagged with: Mapping directory • Mapping folder • Slash role • using slash as a signature

Mar 04

Improve File Uploaders’ Protections – Bypass Methods- Rev. 1.0

Security Articles No Comments »

Some new methods of bypassing file uploaders protections have been discussed. As an example bypassing by using: trailing spaces and dots, “::$data.”, direct Null char, IIS semi-colon bug, and so on.

Uploading files by using web applications is very common. However, there is always a high risk around this matter. In case of uploading a web-shell file which can be absolutely malicious, an attacker can get the same privilege of access as the web application to the server. In this paper, which is mostly around the Windows-based web applications, some general solutions for protecting against this type of attack have been suggested. Moreover, as a proof of concept, some of the most general protection methods and the way of bypassing them have been discussed.

This article is an educational article to improve the security of the web applications. And, the author of this article (“Soroush Dalili”) does not accept and has no responsibility about the content or usage of this article in any other way. Any other usage of this article except the legal ones is completely prohibited.

Please respect the copyright and mention the name of the author (“Soroush Dalili”) in case of using this article.

Download this article by clicking here. (http://soroush.secproject.com/downloadable/Improve File Uploaders’ Protections.pdf)

Tagged with: fckeditor bypass methods • file uploader bypass methods • file uploader security bypass • file uploader security improvement

Dec 25

Browsers’ Pain: A recursive function!

Security Articles, Security Posts No Comments »

I have written a recursive function by using Javascript “setInterval” function which calls itself. Unfortunately, none of the last version of famous browsers such as Internet Explorer (8), Chrome (3.0.195.38), and Mozilla Firefox (3.5.6) blocks this script. Moreover, it takes more than 50% of my CPU which is Intel Core 2 Dou 2.50 GHz.
And the worst one is Mozilla Firefox which stops working after running this script instead of showing a page to stop the script.
This script is:

<script>
function recursiveFunc(){setInterval(“recursiveFunc()”,1);}
recursiveFunc();
</script>

Just save it as an HTML file, and try to open it with your browsers. You can convert “1” to “0” to get better result in Mozilla Firefox and Chrome.
I reported it to Mozilla Firefox as a bug.
Good luck.

Tagged with: Browsers’ Pain • Mozilla Crash Function

Dec 05

Google captured my privacy!

Normal Posts, Security Articles 2 Comments »

Google will be the best Firewall and Forensic Tool of the near future!

Google will (or already) know the users’ information!

News:

“Google pushes security with Public DNS” -> So, Google DNS can collect all the websites which is viewed by the users …

“Browsers use Google to detect web forgery -> So, a browser send a request to Google before openning a website for you! …

“The best search engine for all” -> So, Google can collect your keywords! …

“The best public mail service” -> So, Google can collect your emails …

“Google owned Youtube” -> So, Google can collect your videos …

“Google codes” -> So, Google can collect your source codes …

“Google documents” -> So, Google can collect your documents …

“Google photos” -> So, Google can collect your photos …

“Google messenger” -> So, Google can collect the messages …

“Most of the websites use Google web analyzer (tracker)” -> So, Google can track the websites’ information and also their customers! …

“Google Wave” -> So, Google can collect the blogs ,e-mails, instant messaging, FTPs, social networking’s, and so on’s information! …

“Google powerful translators” -> So, Google can understand why you are saying in other languages!

“Searchable images/sounds/videos by text or another object!” -> So, Google can search in users’ collected data …

“Chrome OS” -> So, Google can do anything with your computer …

AND etc (see http://www.google.co.uk/intl/en/options/ and http://www.googlelabs.com/)…

We are waiting for the most powerful shopping centre by Google!

However, we should trust Google in order to have happier and easier life!

Google = No Pain, No Gain!

Best wishes ;)

Soroush

Tagged with: Google captured my privacy • Google captured your privacy • Google is the best Firewall • Google is the best Forensic Tool • Privacy by Google

Previous Entries

Free WordPress Themes

Links

Symantec Security News

Symantec Endpoint Protection on Developer's Machine July 16, 2010
Hello We are currently migrating to SEP and we are testing the SEP client on a test server before putting it on a production server. At the moment we only use Antivirus and Antispyware protection for the client installs. The developers would like to know what files SEP is accessing during the file protection (We have created exclusions for our software). Is […]
clients got policy updates or not July 16, 2010
hi there, i have a little issue about getting policy updates on serveral users, can u tell me where to find it. i wan to ensure that clients received policy updates properly.... […]
SEP for Mac Internal LiveUpdate server, Java requirements? July 15, 2010
Hey guys! I currently setting up a test environment to run SEP (11.0.6) on my Macintosh machines. I have LUA 2.2.2.9 set up and correctly configured. We are moving our Macintosh machines to 10.6.4 (snow Leopard) and I am testing on this platform. I've created a client install package off of my Symantec Endpoint Protection Manager console and have […]

Google Reader

New Statesman - Beware those Black Swans July 15, 2010
Shared by Jeff Williams "Do not give children sticks of dynamite, even if they come with a warning label" The bestselling economist Nassim Nicholas Taleb argues that we can’t make the world financial system immune to shocks –– but we can make sure it’s much more robust by building randomness into our planning. […]
Understanding the market for buggy software: Complexity blurs line between bugs and features July 15, 2010
The prevalence of bugs in mainstream software is difficult to deny, but the reason for it is poorly understood and subject to debate. The question of why people accept buggy software, but not other products with similar levels of flawed design, is perhaps not a valid question. It is unrealistically optimistic to think that people would not accept “bugs” in p […]
"We Haven't Been Hacked" ...is not a metric July 15, 2010
An interesting thing happens when speaking with the few non-believers in Web Application Security out there. Many of them cite the it hasn't happened to me metric for why they don't feel the need to incorporate better security (or any at all) into their development programs. You know me though, by now, and probably know that I always have a follow- […]