‘A Modular Approach to Data Validation in Web Applications’

‘Data that is not validated or poorly validated is the root cause of a number of serious security vulnerabilities affecting applications. This paper presents a modular approach to performing thorough data validation in modern web applications so that the benefits of modular component based design; extensibility, portability and re-use, can be realised. It starts with an explanation of the vulnerabilities introduced through poor validation and then goes on to discuss the merits of a number of common data validation methodologies. Finally, a modular approach is introduced together with practical examples of how to implement such a scheme in a web application. This follows two main principles:

 * Data should be validated in the data model, where the validation rules have maximum scope for interpreting the context; and
 *Escaping of harmful meta-characters should be performed just before the data is processed, typically in the data access components.

Implementing such a modular approach contributes to the application being loosely coupled and ensures that it can safely be extended and components reused, without incurring unnecessary development time to re-implement validation routines.’

Read More »

‘DNS Amplification Attacks’

This paper outlines a Distributed Denial of Service (DDoS) attack which abuses open recursive Domain Name System (DNS) name servers using spoofed UDP packets.

This study is based on packet captures and logs from attacks reported to have a volume of 2.8Gbps. One of the networks under attack indicated some attacks have reached as high as 10Gbps and used as many as 140,000 exploited name servers. In addition to the increase in the response packet size, the large UDP packets create IP protocol fragments. Several other responses also contribute to the overall effectiveness of these attacks.

The risks involved with the recursive name server feature, as well as those of packet spoofing are well known, yet have been treated more as a theoretical issue. The attack under study was anticipated as early as 2002. Earlier attacks using queries to non-authoritative servers were for a reflection attack using MX records. To our knowledge, this is the first documentation of a new form of a recursive name server reflection attack designed to use the significantly larger data amplification available from the extended capabilities of extended DNS standards .In addition to this attack technique, recursion can be leveraged for other uses such as theft of DNS resources.’

Read More »

‘Detecting the Presence of Virtual Machines Using the Local Data Table’

This paper describes a method for determining the presence of virtual machine emulation in a non-privileged operating environment. This attack is useful for triggering anti-virtualization attacks and evading analysis. We then discuss methods for mitigating this risk for malware analysts. This method was demonstrated using the Windows series of operating systems.’

Read More »

‘WLSI – Windows Local Shellcode Injection’

This paper describes a new technique to create reliable local exploits for Windows operating systems, the technique uses some Windows operating systems design weaknesses that allow low privileged processes to insert data on almost any Windows processes no matter if they are running under high privileges. We all know that local exploitation is much easier than remote exploitation but it has some difficulties. After a brief introduction and a description of the technique, a couple of samples will be provided so the reader will be able to write his/her own exploits.’

Read More »

‘Domain Contamination’

‘This brief write-up describes an attack that exploits an inherent flaw of the client-side trust model in the context of cyber-squatting and domain hijacking, or in general, in the context of obtaining temporary ownership of a domain (or major parts of it, e.g. defacing the main page).
Put simply, the idea explored is to force long term caching of malicious pages in order for them to still be in effect even when the domain returns to its rightful owner.

Various attack vectors are discussed in this write-up, as well as possible protection techniques. While previous works hinted at the possibility of such attacks, it is worthwhile to discuss this in depth and to refute the common misconception that cyber-squatting, domain hijacking and similar attacks don’t have a long lasting effect.

Read More »

‘Misunderstanding Javascript Injection: Web Application Abuse via Javascript Injection’

Whilst it is common to see the issue of Javascript injection on the various security oriented mailing lists, there are issues Tim has not seen much mention of, this paper seeks to rectify that.

This paper seeks to make two key points:
 1. To successfully inject, doesn’t require Javascript: or the < script> tag.
 2. After successful injection, stuff the cookie, AJAX gives more room to move.’

Read More »

‘Cross Site Cooking’

There are three fairly interesting flaws in how HTTP cookies were designed and later implemented in various browsers; these shortcomings make it possible (and alarmingly easy) for malicious sites to plant spoofed cookies that will be relayed by unsuspecting visitors to legitimate, third-party servers.’

Read More »

‘Hacking with the Google Search Engine’

Hackers and security experts use various custom and open source tools to complete their tasks. In fact, one of the tools they use you probably use every time you browse the web, the Google Search Engine.

Paul remembers the first time he used the Google Search Engine years ago. Paul was amazed at how quickly it fulfilled my search request. Google’s huge index of systems / information and it’s ability to perform complex searches have evolved over the years. When we performed security assessments and penetration test, we regularly use Google to locate information that organizations typically want to keep private and confidential.’

Read More »

‘XST Strikes Back’

‘This is yet another example of peripheral web security issue, such as the ones discussed in ‘Meanwhile, at the other side of the web server’. A web application may be compromised through issues that are beyond the control of the web site owner – in this case, support for TRACE in browsers and proxy servers. In fact, in many cases the site owner has no way of even knowing that the attack took place, because the TRACE request is answered at the proxy server, and never arrives at the web server (of course, if the first proxy server is the site’s reverse proxy server, or if no proxy server at all is present, then the site owner may find out).

It seems that the TRACE method should be disabled across the board – not just in web servers, but also in proxy servers and in browsers (and possibly in other web devices).’

Read More »

‘Security Testing Demystified’

The article linked here presents the concepts of application security testing. The article focus on web applications, but the concepts are valid to almost all security testing scenarios.’

Read More »

‘Attacking Automatic Wireless Network Selection’

‘Wireless 802.11 networking is becoming so prevalent that many users have become accustomed to having available wireless networks in their workplace, home, and many public places such as airports and coffee shops. Modern client operating systems implement automatic wireless network discovery and known network identification to facilitate wireless networking for the end-user.

In order to implement known network discovery, client operating systems remember past wireless networks that have been joined and automatically look for these networks (referred to as Preferred or Trusted Networks) whenever the wireless network adapter is enabled. By examining these implementations in detail, we have discovered previously undisclosed vulnerabilities in the implementation of these algorithms under the two most prevalent client operating systems, Windows XP and MacOS X.

With custom base station software, an attacker may cause clients within wireless radio range to associate to the attacker’s wireless network without user interaction or notification. This will occur even if the user has never connected to a wireless network before or they have an empty Preferred/Trusted Networks List. We describe these vulnerabilities as well as their implementation and impact.’

Read More »

‘Malware – Future Trends’

In the below link article, Dancho describes what are the driving forces behind the rise of malware? Who’s behind it, and what tactics do they use? How are vendors responding, and what should organizations, researchers, and end users keep in mind for the upcoming future? These and many other questions will be discussed in this article, combining security experience, business logic, a little bit of psychology, market trends, and personal chats with knowledgeable folks from the industry.’

Read More »

‘UPnP Flawed Application’

”The UPnP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. The UPnP architecture is a distributed, open networking architecture that leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between.’

So you feel so safe with that shiny new Linksys, D-Link, or Net-gear Home router of yours don’t you? Its Firewall function is impenetrable isn’t it? No its not. In fact, any program that has network access can change that, regardless of that unbreakable password you’ve set on the device. Why? Because they are UPnP enabled devices, and UPnP allows for unauthenticated access to viewing and modifying your settings.’

Read More »

‘Database Servers on Windows XP – Unintended Consequences of Simple File Sharing’

This paper presents some unexpected consequences of running database servers on Windows XP with Simple File Sharing enabled. In the real world, this kind of setup would typically be a developer’s system and as it turns out, in some cases depending on the database software, you might not just be sharing your files but exposing both database services and data. In one case an attacker can easily gain DBA access to the database if Simple File Sharing is enabled. We’ll examine the commercial databases, namely, Oracle, SQL Server, DB2, Sybase and Informix and see which are exposed, to what level and why.’

Read More »

‘Remote Rogue Network Detection’

‘Unauthorized network links are one of the biggest problems facing large enterprise networks. Users intent on bypassing corporate proxies will often use cable modems, wireless networks, or even full-fledged T1s to access the Internet. These network links can have a drastic affect on organizational security; any perimeter access controls are completely bypassed, making it nearly impossible for the administrators to effectively concentrate their monitoring and intrusion prevention efforts. The linked document attempts to describe different approaches and techniques that can be used to detect these rogue network links.’

Read More »

‘Perl Format String Vulnerabilities’

‘Format string vulnerabilities in C programs have been studied extensively in recent years. The focus has been on the execution of arbitrary code, although other effects are possible. It has now to the attention of the security community that numerous Perl code segments suffer from the same format string vulnerabilities as C programs.

Read More »