etd’s Dos and Dont’s

In adition to the changes released on the 4^th of April, yesterday we released a Windows one-click installer for dradis.

The summary of the features of the v1.2 release:

• in the client:
  • export to XML module is now part of the standard module set.
  • a new implementation of the command line parser: now it is possible to use single and double quotes to pass multi-word arguments to the different commands.
  • fixed the window.rb:159 bug.
• in the server:
  • a slightly less annoying implementation of the web interface auto refresh functionality.
  • the services added through the web interface can have a name now
  • simple prevention against embedded XSS.

You can also download the platform-independent ruby source in the download section of the site.

hack-fu by: rux0r

This post is the first in a series on the subject of enterprise messaging and in particular on IBM’s flavour of it. The objective of these posts will be to remove some of the confusion about its purpose, the technologies and the methods of securing it. Hopefully this will help both security testers and other interested parties to feel confident about this important area of IT security.
(more…)

I have just arrived from Black Hat Europe 2008 in Amsterdam (this one, not this one). It has been a cool experience, not exactly what I expected but really interesting.

Briefings were held during the 27^th and 28^th of March, and the presentations are available for download. If you want to see what the chef recommends just keep reading…

(more…)

What is an Intermediate Certificate Authority (CA) and why do I need one? An Intermediate CA is an authority that you use to create your own SSL certificates in a PKI environment. An Intermediate CA depends on a Root CA that is the origin of the chain of trust. The idea is that if your Intermediate CA gets compromised or you decide to revocate all the certificates issued by it, you can still use your Root CA without further inconvenience for your users (the users only need to have installed the certificate of the Root CA in their browsers).

As for the second question, the sort answer is that chances are that you really do not need one but for the shake of the experiment lets get our hands dirty!
(more…)

Elastic Path is a popular Java e-commerce platform for building online stores and shopping carts. Elastic Path consists of both a shopping front end where customers can browse and choose the products and a managing backend for administration purposes.

Users of the administrative interface can be granted different levels of access. Research revealed that users with upload/download privileges could abuse them to gain access to arbitrary files in the remote system (read the security advisory - mirror #1, mirror #2).

update: a link to the patch is available in Elastic Path Developer’s site (thanks to d-dub).
update: this vulnerability has been assigned the following CVE number: CVE-2008-1606.
(more…)

A new version of dradis, the information sharing tool for security teams, was released on the 29^th of February. Some major changes were introduced from the first release back on December:-

• New client GUI that runs in Linux, Windows and Mac OS (screenshots).
• New web interface.
• Improved step-by-step installation instructions.
• New contributed modules:
  • Export your Knowledge Base to an XML file.
  • run nmap from dradis and store the results in the knowledge base.

If you want to give it a try, go to the download page. And please let me know any thoughts or feedback (remember that you can use the dradis development mailing list: dradis-devel).
(more…)

From The Web Application Hackers Handbook a quick quiz:

An input validation mechanism designed to block cross-site scripting attacks performs the following sequence of steps on an item of input:

1.- strip any <script> expressions that appear
2.- truncate the input to 50 characters
3.- remove any quotation marks within the input
4.- url-decode the input
5.- if any items were deleted, return to step 1

how would you bypass it?

In the previous article of this series (sql injection: inference attack) we saw an in introduction to the concept of SQL inference attacks. On security advisory: Plogger Photo Gallery SQL Injection we saw that the Plogger Photo Gallery SQL injection vulnerability was an ideal scenario to study SQL inference attacks.

Now it’s time to see a hands on example on how to exploit a SQL injection vulnerability using this technique. Please note that the intended audience of this article are security researchers that want to gain a deeper knowledge on the nature and internals of SQL inference attacks.
(more…)

Plogger is an open source PHP photo gallery with over two years of development and more than 50,000 downloads. The Plogger web site (http://www.plogger.org), describes the application as a fully featured photo sharing package with an attractive and easy to use administrative interface.

It was found that insufficient validation was applied to the input parameters of the script that generates Plogger’s RSS feeds. As a result, SQL code could be injected into Plogger database queries (read the security advisory - mirror #1, mirror #2).

update: this vulnerability has been assigned the following CVE number: CVE-2007-6587.
(more…)

This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport).

The only way we could think of getting our hands on the communication was to write a small set of scripts to trick the client and encapsulate the communication inside HTTP requests that we could then manipulate using standard proxy tools such as burp.

Although the information and scripts described in this post are focussed on intercepting a XML communication, the same principles apply to man in the middle any ASCII protocol such as smtp, ftp or pop.

update: slides available here
(more…)