Archive for the ‘Security’ Category
Good news, everyone!
I’m writing a new book on Ajax Security. You can follow development at
http://www.ajaxsecurity.info/
I am looking for a co-author to bring the book to fruition faster (and to avoid marital breakdown!), so if you’re interested and have lots of Ajax and security experience (20 years or better!) and have the mad writing skillz to write at least 125 pages, please drop me a line.
Ilia has just blogged that HttpOnly is now supported in PHP 5.2.
This prevents the usual sort of basic XSS attacks, like:
Supported browsers:
There is a potential solution for Firefox’s and Mozilla’s lack of support.
Now all we need is for Firefox, Mozilla, Safari (=WebKit), and Opera to climb aboard!
Update: Chris and I spent some time working out if HttpOnly works on a range of browsers. Sadly, some browsers I thought had support… don’t. Oh well.
Well, that was Day 3 of Defcon out of the road. I didn’t get to see too many actual talks due to the hallway track being far more interesting than the actual three track program. Again, few webappsec talks, and some were repeats of the BH talks I’d already seen.
I caught up with a few fine folks, including Jeremiah Grossman, TC, RSnake, Arian Evans (possibly the funniest infosec guy I’ve ever met!), Dinis and more! It was a total hoot, and we did a lot of good work^Wdrinking.
The more esoteric talks were right up there. I wanted to go to Peter Gutmann’s talk on phishing, but unfortunately it was far too early after the night before. Luckily, I have the slides in PDF form, and soon we will have the DVD at work, so that’s no biggie.
The biggest change is the venue. The new location at the Riveria is excellent – it’s still old and crusty which is a la Defcon at Alexis Park, but it has *air conditioning* and it can handle zillions of geeks in the manner which they are accustomed – ie without bathing.
However, the smoking problem is worse than ever. I made my most valiant of efforts to kill them all using my onion ring with crab cake special edition flatus, but unfortunately, it backfired late at night thus causing me more grief than any of the smokers. When will conference organizers equate smokers == law suits for obvious and gross negligence when the dangers of said disgusting habit are well known?
In other news, Tanya picked up a huge stogy for her old man.
Day 2 had a complete web app sec track. This is a huge change from last year, where there was like … my talk and that was about it. And you know what? It was full! Every session I’ve attended so far today has been near full. Plus, it’s top material.
Let’s get on with the details.
Hacking Intranet Websites from the Outside “JavaScript malware just got a lot more dangerous”
Jeremiah Grossman & TC Niedzialkowski
The Register missed the boat – they went to the wrong talk. They should have gone to this talk instead.
Jeremiah and TC showed a bunch of demos which totally 0wned the browser of the victim. This talk was downright scary. They did a basic CSRF attack against a DSL router (incidentally, the model I have at home – luckily I *have* changed the default password), and demo’d the ability to make the victim’s browser the attacker’s complete biatch.
Essentially, you can do two things:
a) don’t go to any sites
b) turn off the Internet
They didn’t even use the Ajax stuff which is now possible, such as using cross-domain XHR and Flash based arbitrary header re-writes and forgery, which when taken together essentially mean that an attacker has an extremely wide array of vulnerable sites, such as MySpace and others, to send hostile code to your computer to do with as they please. I am certain this is how the malicious mofos behind commercial / organized crime spamming and bot nets will try to infect millions of boxes over the next few years.
Ajax talks
These two talks were interesting, but didn’t extend the state of the art much beyond where I was back in February. All of the next three talks had overlapping content, which got a bit monotonous by the end.
“AJAX (in)security”
Billy Hoffman
Billy talked about four areas of Ajax security, but my favorite was how he extended the method of using mash ups to be evil via the mash up proxy and hide where you’re from. That’s cool. Billy did go a little bit further with an idea to use Ajax to create a proper worm, but used the ol’ MySpace worm and the Yahoo mail worm to show previous examples.
Billy’s talk was energetic and he talked at a thousand miles an hour. He could have done with some demos. I had a chat with him before the talk, and I think there’s some potential there to collaborate on future stuff.
“Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0″
Alex Stamos & Zane Lackey
With Ajax stuff, it is necessary to bootstrap the audience … this year. The guys went through the basics of Ajax … again … and then went on to talk about the problems as they saw them. Again, not much new here, but at least there was a look at different frameworks, particularly Java based frameworks. I’ve mostly looked at PHP frameworks, so this was pretty interesting.
The guys ran out of time, and so didn’t talk long enough about the methods to prevent attacks. It’s not hard for the main part, but too little detail doesn’t help the BlackHat audience (who are mainly security geeks at larger corporations) who want to know the problem … and the solution. At DefCon, you don’t have to worry about the solution as they’re just interested in the problem.
“Six Degrees of XSSploitation”
Dan Moniz & HD Moore
This talk was interesting as HD Moore and Dan Moniz are relatively (in-) famous. However, it was a fairly lightweight presentation, again introducing XSS and Ajax and the MySpace worm. There was some good material in here, potentially looking at things you can do once you’ve found yourself a nice juicy XSS.
I would have liked to hear more about the ActiveX null pointer execution thing that is apparently coming out next week, but obviously that one is under NDA. HD took a back seat to Dan most of the time, but that’s okay – they imparted a lot of information in not much time.
“Analysis of Web Application Worms and Viruses”
Billy Hoffman
Placeholder
“TBA” – David Litchfield
David did a talk on the problems with Informix. Awesome talk, and shows that all database servers are vulnerable. He totally 0wned his server in a set of well rehearsed demos.
I don’t use Informix so it wasn’t that useful to me, but a take home message is total props to IBM for solving these problems. Oracle can learn a few things from IBM on how to listen to professional security researchers, and fix stuff in a reasonable time frame.
“How to Unwrap Oracle PL/SQL”
Pete Finnigan
Pete went through the basics of figuring out how to unwrap (decode) PL/SQL. I’ve just finished doing a major PL/SQL code review, and I was hoping it was about how to do good code reviews of this language. It turns out that some folks encode their PL/SQL (which is essentially Ada with some extensions) to obfuscate the source. We don’t do that, so I found this stuff pretty dull. However, I’ll keep it filed away in case we get some third party code which has been “wrapped”.
Wrapping is an encoded form of DIANA. Pete showed how to decode this representation from the raw bytes stashed by Oracle. He also had some unkind words for the tools which supposedly decode this stuff today.
Lastly, 10g went backwards. They don’t use this method, instead favoring just base64 encoding. That’s cool, as it makes it easier to decode stuff in 10g.
Oracle Rootkits 2.0: The Next Generation
Alexander Kornbrust
Awesome talk. More when I have time to get my thoughts together. Take home point: take the time to secure your database servers, and isolate them.
Hallway track
So awesome to be here and meet the folks who do the research. I met a bunch of really smart folks and did a bit of an interview. If it comes out, I will update this entry.
Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia.
Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we can sort things out.
OSCON: Awesome.
My presentations went down well. I’ll upload the new presentations soon, but the Ajax Security demo went off really well. The room was overflowing with folks, so I’m really chuffed that so many of you decided to come.
I’ll put up the Ajax XSS demo I did later, but please be aware that these demos are INSECURE by design, and only to test them on your internal systems. The trick is to:
<img src="kitty.jpg" onLoad="... your javascript attack here ...">
People forget there’s literally hundreds and possibly millions of ways to do XSS. Do NOT look for script or Javascript and think you’re done. That’s stupid. Make the output safe, it’s faster, it’s simpler, and it works.
People
I met so many folks who I had spoken to over the net, or e-mailed. Everyone is so nice and friendly, it’s incredible to meet the greats. I really enjoyed catching up with Chris and Laura, met the Schlossnagles for the first time (cool dudes, cute kids 
, and of course, Wez.
Unfortunately, due to the bad things going on in my personal life, I could not bring myself to hang out after hours as I was feeling extremely down, but life goes on. I was hoping to go out to Portland a bit more; maybe next time.
Talks
I went to a fair few webappsec related talks, and it’s truly gratifying to me that the developers had an entire stream dedicated to it. I really enjoyed the PHP Security hoe down – we had a wack job in the back row causing a bit of a stir, but after he left, the hour really flew.
Portland
I’ve never been here before. It’s a very nice city, great public transport. I’ll post some images soon as it’s very pretty this time of the year. It was a bit hot when I got here (about 40C) but it soon cooled down to mid 20’s and I’ve been happy with that.
A friend through newbeetle.org picked me up from the airport last Sunday, and we went to her place and hung out for a while. She invited over a friend of hers, and I got to see her and her hubbie’s New Beetles (a nice Turbo S and a unired NBC), and her friend’s green Gecko TDI New Beetle. Very nice – I wish we could get that color in Australia. We had breakfast on Friday morning even though I was extremely tired (no sleep) and a bit sad, and she picked me up this morning to take me to the airport. I’m so impressed, I wish I could say I was as good a host when I have folks visiting. Thanks, Debbie – you set the standard!
Next steps
I’m off to SF next. I’m at the airport now. I have to spend a few hours this weekend getting stuff together to meet the CSO of a major partner of work’s, like running through the ESA presentations and ensuring that we have something constructive to talk about. I might need to go to Kinkos tomorrow and print off a few things unless my hotel has a printer I can use.
Colleen Frye from SearchAppSecurity.com, interviewed me via e-mail a couple of weeks ago on the OWASP Ajax security research and materials I’ve been pumping out. Although she asked for brief answers, to paraphrase Mark Twain, I didn’t have the time to write shorter answers.
The results are now available for your reading pleasure.
Here’s a single slide from the PHP security architecture slide deck. When I’ve sorted myself out in terms of demos for OSCON, I will release the entire thing when it’s in better shape (and smaller for the web – this Keynote theme seems particularly heavy).
[ EDIT: a comment I wrote in this entry referred to Laura Thomson as one of the reviewers of the OWASP Top 5 article. Although I have discussed other PHP related things with Laura, this article is not one of them. I've carefully reviewed my Sent folder during this time, and I've updated the reviewers in the article on the OWASP website. I apologize to Laura for bringing her into this sordid affair. ]
I have a comprehensive PHP security architecture for PHP 6 I’ve been developing, which I wanted to present to Chris for his comment, and if he felt it was good, possibly then ask Rasmus and Andi for a beer or two whilst I am at OSCON.
However, I’ve just had a very disturbing e-mail conversation with Stefan Esser, PHP security researcher, founder of Hardened PHP, and one of the initiators of security@php.net. He posted from his php.net address, so I imagine he was talking to us (as in OWASP) in his PHP security bod at large capacity, but I’m not sure.
I’m now basically convinced that there is just no point trying to make PHP safe. The people involved are too poisonous and arrogant to change, therefore PHP will not change and become safe. My architecture would be attacked viciously but nothing would be done to put something like it in place. And without a decent architecture (mine or someone else’s), PHP is no safer than it is today, which is to say – not safe at all unless you know what you’re doing and can control php.ini, something most shared host users do not have the luxury.
The best bet for PHP is to kill it by letting the current development team make PHP 6.0 into even more of a niche that PHP 5.x is, and ensure that hosters become more and more locked into the insecure PHP 4.x. When the hosters get sick of rebuilding their virtual hosts all the time, it will become uneconomical to allow PHP to be on their hosts. They will take it off, and ask people to move to safer languages / frameworks.
It’s time for PHP to die.
Update… I’m not going to re-write history, so I’ve left the above text for you to see.
However, it’s not fair to the PHP community that we security folks argue amongst ourselves whilst their apps continue to fall victim to the same attacks, time after time. I will spend more time on the architecture and create a BoF at the conference to present it after spreading it around my coterie of PHP friends for advice and comment. I’d love to have everyone who has been so passionate about this article come see us at OSCON and see what I have in mind.
Just a quick note as to the quietness of the blog. I’m working on a few things:
and plus Tanya would like my body sometime as well. I’ve given up TV. Woe is me!
See you at OSCON 2006.
I’m also making an appearance at BlackHat and Defcon, and will be in SF in between those two conferences, and possibly in Salt Lake City before OSCON (depends on work). If you want a Thawte Notarization for the Web of Trust (free *real* fully trusted S/MIME certificates!), please bring photocopies of your photo ID and I’ll do it for free.