SamuraiNet Blog

As far as I know this has not been patched yet.

There is a very simple solution to monitoring this problem. Simply adding your own filter with an alternative email address. I just tested this and while the email is sent away from your inbox, it is sent to both addresses. This way you will atleast have a record, and if you check that address more regularly it will act as a notification system.

The exploit is not quite as glamorous as that article depicts either. It’s a Cross Site Request Forgery vulnerability introduced by an improperly implemented token key-pair. As the author mentions, the token should be changed at each request, rather than each session. As mentioned in the article, both the ‘Session Authorization Key’, the token, and the ‘Unique Account Identifier’, which I assume is something like the session key are required. Neither is trivial. The session key would require a vulnerability, such as Cross Site Scripting or Tracing vulnerability, to be accessed. The token must be read from the page that you are posting ‘from.’ Because of JavaScript’s sandbox, this cannot be done through the use of an iFrame or AJAX request. It must be done from the client’s localhost or the domain, in this case Google.

Obviously it is possible, since Google has responded to the threat and proof has been shown of domains being stolen, but nothing new has happened here. It is simply a clever implementation of a few common tricks.

http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/

http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html

I read a question recently on LinkedIn asking what tools penetration testers used for web application testing and felt that it was probably a question that merited more than the few sentences I put down as an answer. The following tools are for web application testing. This is by no means a complete list, but these are some common tools that are useful and anyone interested in penetration testing should look into understanding.

When we talk about web site penetration testing most people think of scanners like Nessus or Acunetix’s scanner. While these have some merit and I have seen them provide useful information, the best method in my opinion is to test by hand. This does not mean using no tools at all, rather simply not using these automated tools. The following is a list of tools and plug-ins that I find useful. All of the following tools are add-ons for FireFox 2, an appropriate platform for web application testing.

ChickenFoot - This is a great tool since it allows you to run javascript on the page. Much like greasemonkey, you can configure default scripts to run, but the real advantage is having a “javascript console” in the browser that can interact with the DOM. This has saved me a lot of trouble debugging scripts while developing as well as breaking scripts already in place.

LiveHTTPHeaders - This is a great tool for grabbing the request headers and banners that a server sends out. Data such as operating system and apache version can be found as well as a comprehensive list of ALL data that is transfered to your browser at request time.

User Agent Switcher - Normally changing your user agent doesn’t help with penetration testing much, since few sites require you to be using a specific browser or operating system as part of authentication, however; by using the Google Bot’s user agent sites designed for Search Engine Optimization sometimes open their doors for you. If the designer or developer allowed restricted pages to be indexed (I don’t know why they do this, but they do) by the Google Bot, we can now access them.

Tamper Data - This is a brilliant tool that allows you to capture outgoing HTTP requests and modify the data. This makes modifying data in select menus much easier than using javascript to modify the DOM. You can also enter in other fields to the POST array which is sometimes useful if the site is using automated SQL queries based on POST’s contents.

RefControl - Another great add-on. This allows you to customize the referrer you send. Many sites check this to make sure that you are sending data from an allowed page and RefControl can be used to forge this. This is useful when you want to send data from your own web-app to another (for fuzzing) or if you are trying to access another zone of the site without the correct credentials from the previous zone.

Beyond these FireFox add-on I have a few more tricks up my sleeve. The following are not necessarily tools for penetration testing, but they can lead to extra information.

http://www.myipneighbors.com/ - This is a great site that allows you to easily see what other sites sit on the same IP address. This is useful for testing sites on shared hosts where a cross-server hack is possible. This widens your range of vulnerabilities from one site to many. (In some cases I’ve seen IP address with upwards of 700 sites on them.) The site even provides an iFrame so that you can briefly browse the sites and see which look most likely to be useful.

nmap - Most of you are probably asking why a port scanner is on this list, but the fact that nmap can easily determine what version of Apache is running makes it useful. If you were unable to capture the banner from a request before nmap is your next option. You may even be able to find out versions of MySQL and what Operating system is being used. These can be useful for exploits inherent in the background processes of the site.

Finally, I will talk a brief bit about some automated tools that I will use for fuzzing and quick scans. Normally IF I run these, I set them and forget them until I’ve burned myself out and check them only later.

Nessus - This is a great tool for scanning even beyond web applications, but with the features for SQL injection, Cross site scripting, and I believe now even Remote and Local File inclusion vulnerabilities it can provide useful information. If you are doing more than simple Web Application scanning Nessus can provide even more information. Rather than just giving you a listing of ports and services like nmap, Nessus provides information on WHY these are dangerous and how they can be both exploited and fixed. This is great for testing your own network.

Acunetix’s scanner - This scanner will basically fuzz all inputs for Cross Site Scripting holes and report back to you on which, if any, were successful. I have had only moderate success with it, but again as a “set it and forget it” tool while you work by hand it can be useful.

It seems that even Mozilla cannot escape built in viruses these days. A language pack for FireFox was found to be corrupted with a trojan and was downloaded by users. http://www.scmagazineus.com/Compromised-file-found-in-language-pack-for-Firefox/article/109941/

After reading a few RFCs this week I have decided that I should setup support for RFC 2549. 2549 is simply a revised version of 1149 with QoS support. In today’s world with bandwidth being more and more of an issue this will help divert some of that traffic. RFC 2549 will also allow my blog and site to be viewable even during a Denial of Service attack. RCF1149 RFC2549

For those of you looking into future careers in the computer world I’m sure the thought has crossed your mind of what really is still relevant and useful for my career. I found this article earlier this week which pointed out a few things that are just rather pointless. If you know them, don’t sweat, its always something extra. Perhaps it’s just not something you want to be putting in bold on your CV or resume. http://blogs.techrepublic.com.com/career/?p=310&tag=nl.e101

First hybrid cars, now do-it-yourself gasoline? Not quite, but rather do it yourself fuel. Made by fermenting (yes, as in alcohol) your own fuel at home. The cost is supposedly 1USD / gallon to produce after purchasing the almost 10,000 USD machine. Not too bad in the long run and you get carbon credit coupons to boot. http://www.news.com/2300-13833_3-6239196-1.html?tag=ne.gall.pg

McAfee’s “Hacker Safe” sites apparently aren’t quite so “hacker safe.” Recently sites classified this way have been found to be vulnerable to Cross Site Scripting. McAfee comments that XSS isn’t a dangerous vulnerability which I believe actually makes their oversite worse. Rather than accepting that they made a mistake, they have shown ignorance for an obviously dangerous vulnerability. In a day an age with so much information stored in databases on websites ANY security hole should be an issue. http://www.scmagazineus.com/XSS-vulnerability-found-in-McAfee-HackerSafe-sites/article/109585/

AldarHawk has released a new forum for security, programming, networking, and a variety of other computer related topics. The forums are brand new and just getting the first few posts. Be sure to check it out. http://isecforce.com/

So you just ordered a Domino’s pizza and can’t wait for it to get to you. How much longer? This python script that runs at the command line (since GUI is so overrated) will check and let you know what the status of your pizza pie is. http://random.noflashlight.com/