Beware of JBoss’ “SecureIdentityLoginModule”
From JBoss' Community Wiki EncryptingDataSourcePasswords page:
The
org.jboss.resource.security.SecureIdentityLoginModulefromjboss-jca.jarcan be used to encrypt database passwords rather than using clear text passwords in the DataSource configuration. [...]
Which in principle, is a great thing. The problem being that usually database credentials end up being placed in the web application configuration file in clear text. However:
[...] It uses a hard-coded password to encrypt/decrypt the DataSource password.
Bottom line, anyone using the SecureIdentityLoginModule to encrypt their password in the configuration file is doing it with a Blowfish algorithm and well known key. So if during an engagement you find a configuration snippet similar to the one below:
<policy> [...] <!-- Example usage of the SecureIdentityLoginModule --> <application-policy name="EncryptDBPassword"> <authentication> <login-module code="org.jboss.resource.security.SecureIdentityLoginModule" flag="required"> <module-option name="username">sa</module-option> <module-option name="password">5dfc52b51bd35553df8592078de921bc</module-option> <module-option name="managedConnectionFactoryName">[...]</module-option> </login-module> </authentication> </application-policy> [...] </policy>
You should be able to reverse the encryption and get the credentials in clear text. JBoss.java can help you with this, it is now available in usefulfor's repository at GitHub.
Popularity: 2% [?]
security quiz: input validation bypass
From The Web Application Hackers Handbook
An input validation mechanism designed to block cross-site scripting attacks performs the following sequence of steps on an item of input:
1.- strip any <script> expressions that appear
2.- truncate the input to 50 characters
3.- remove any quotation marks within the input
4.- url-decode the input
5.- if any items were deleted, return to step 1
how would you bypass it?
Popularity: 5% [?]
sql injection: inference attack (part 2)
In the previous article of this series (sql injection: inference attack) we saw an in introduction to the concept of SQL inference attacks. On security advisory: Plogger Photo Gallery SQL Injection we saw that the Plogger Photo Gallery SQL injection vulnerability was an ideal scenario to study SQL inference attacks.
Now it's time to see a hands on example on how to exploit a SQL injection vulnerability using this technique. Please note that the intended audience of this article are security researchers that want to gain a deeper knowledge on the nature and internals of SQL inference attacks.
Popularity: 3% [?]
yl18.net: the chinese menace
This is the story of an attack I had to investigate for a client. The synthoms: mass defacement of web pages in the server, the only tool: roughly 1GB of web server log files.
Popularity: 4% [?]
sql injection: inference attack
SQL Injection is the process of injecting SQL commands into strings processed by an application. This is possible when there is insufficient validation of user input before it is executed in dynamic SQL queries.
Different types of attack exist and not all of them are suitable for every situation.
Popularity: 3% [?]