I have just arrived from Black Hat Europe 2008 in Amsterdam (this one, not this one). It has been a cool experience, not exactly what I expected but really interesting.
Briefings were held during the 27th and 28th of March, and the presentations are available for download. If you want to see what the chef recommends just keep reading… 
Elastic Path is a popular Java e-commerce platform for building online stores and shopping carts. Elastic Path consists of both a shopping front end where customers can browse and choose the products and a managing backend for administration purposes.
Users of the administrative interface can be granted different levels of access. Research revealed that users with upload/download privileges could abuse them to gain access to arbitrary files in the remote system (read the security advisory - mirror #1, mirror #2).
update: a link to the patch is available in Elastic Path Developer’s site (thanks to d-dub).
update: this vulnerability has been assigned the following CVE number: CVE-2008-1606.
Read the rest of this entry »
A new version of dradis, the information sharing tool for security teams, was released on the 29th of February. Some major changes were introduced from the first release back on December:-
If you want to give it a try, go to the download page. And please let me know any thoughts or feedback (remember that you can use the dradis development mailing list: dradis-devel).
Read the rest of this entry »
From The Web Application Hackers Handbook
An input validation mechanism designed to block cross-site scripting attacks performs the following sequence of steps on an item of input:
1.- strip any <script> expressions that appear
2.- truncate the input to 50 characters
3.- remove any quotation marks within the input
4.- url-decode the input
5.- if any items were deleted, return to step 1
how would you bypass it?
Windows Vista includes the “Windows Sidebar”. This new feature allows users to display ‘gadgets’ on the sidebar and on the Windows desktop. Gadgets are small applications containing HTML, XML and JavaScript.
The ITN News Sidebar gadget provides users with the ability to view the latest world, money, sports, showbiz and weather news. Allowing users to read and watch videos news on the flyout panel. These information is requested by the ITN News gadget from a web server, which responds to the gadget with the latest news stories. An attacker capable of intercepting the web server response to the gadget request could modify that response such that a script was injected and then run on the user’s system. The injected script would run under the privileges of the currently logged in user. Read the rest of this entry »
In the previous article of this series (sql injection: inference attack) we saw an in introduction to the concept of SQL inference attacks. On security advisory: Plogger Photo Gallery SQL Injection we saw that the Plogger Photo Gallery SQL injection vulnerability was an ideal scenario to study SQL inference attacks.
Now it’s time to see a hands on example on how to exploit a SQL injection vulnerability using this technique. Please note that the intended audience of this article are security researchers that want to gain a deeper knowledge on the nature and internals of SQL inference attacks.
Read the rest of this entry »
Meridio Document and Records Management is an enterprise content management system (Enterprise Document and Records Management - eDRM).
Meridio has been identified as being vulnerable to an embedded Cross Site Scripting vulnerability in the ‘Title’ field when uploading a document (name=”subGeneralProps:dmpvDocTitle:PROP_W_title”) and when creating a container (name=”subGeneralProps:dmpvContainerTitle:PROP_W_title”) and also within the uploaded document.
Consequently, a malicious user could permanently inject JavaScript into the application. This malicious code could be made publicly accessible for other users of the Meridio application and would be executed within the context of the user’s browser accessing the embedded script.
This vulnerability could be exploited in large number of ways; such as session hijacking, key logging or social enginering, the main limitation would be the creativity of the person performing the attack.
It should be noted that for this vulnerability to be exploited an attacker would need to be a user of the application or to have compromised a user account.
Meridio have addressed this vulnerability and implemented a fix in version 4.3 SR1 and higher.
Plogger is an open source PHP photo gallery with over two years of development and more than 50,000 downloads. The Plogger web site (http://www.plogger.org), describes the application as a fully featured photo sharing package with an attractive and easy to use administrative interface.
It was found that insufficient validation was applied to the input parameters of the script that generates Plogger’s RSS feeds. As a result, SQL code could be injected into Plogger database queries (read the security advisory - mirror #1, mirror #2).
update: this vulnerability has been assigned the following CVE number: CVE-2007-6587.
Read the rest of this entry »
This post is a result of ideas and tools developed during the review of client-side applications that use the XMPP protocol to communicate with a server (opening a raw socket, not using HTTP as a transport).
The only way we could think of getting our hands on the communication was to write a small set of scripts to trick the client and encapsulate the communication inside HTTP requests that we could then manipulate using standard proxy tools such as burp.
Although the information and scripts described in this post are focussed on intercepting a XML communication, the same principles apply to man in the middle any ASCII protocol such as smtp, ftp or pop.
update: slides available here
Read the rest of this entry »
dradis is a tool for sharing information during a pentest. If you are part of a team of testers working against the same set of targets, you will need to comunicate with each other. The most efficient this communication the more chances of a successful breach you will have.
Read the rest of this entry »