Posts

Showing posts from December, 2010

Microsoft's Recommendation on View State Mac

Advisory
Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering VulnerabilitiesPublished: 2010-02-08 Version: 1.1https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txtAnalysisWrong or inadequate recommendations from Vendor can play a vital role in its customers who might always stay compliance with vendor' documentation and recommendation.Researchers from SpiderLabs pointed out: "A vulnerability was alluded to in a 2004 Microsoft article on
troubleshooting view state problems [1]. However, other
Microsoft documents recommend disabling view state signing
"if performance is a key consideration," [2, 3, 4] or for
various other reasons [5, 6]. Realistically, unsigned view states should never be used in a production environment."

Web Service Hijacking in VMWare WebAccess

Advisory:
Trustwave's SpiderLabs Security Advisory TWSL2010-002
Web Service Hijacking in VMWare WebAccess

https://www.trustwave.com/spiderlabs/advisories/TWSL2010-002.txt

Published: 2010-03-30 Version: 1.0

Analysis:

Web application developers tend to use reversible hash algorithms like Base64, rot13 for hiding sensitive information in POST data and query string. Scanning this kind of web application with automated tools will be a failure and this kind of vulnerability will not be discovered because current web application scanners are programmed to fuzz.


Check:

Look for all possible encrypted data and their algorithms.
Decrypt data and re-submit with tampered data.
Learn application behavior whether it fullfills your tampered request or not.



Related:

This vulnerability can be logically related to view state tampering of ASP.Net/JSF/JSP where developers mostly store sensitive information in View State data.

Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate

Advisory:
Trustwave's SpiderLabs Security Advisory TWSL2010-007: Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate
https://www.trustwave.com/spiderlabs/advisories/TWSL2010-007.txt
Published: 2010-12-10 Version: 1.0
Analysis:

It appears that the SSL exception window is tied to the target machine.
This window itself may be a part of the application, which unfortunately happens to provide a way to browse the target machine file system for exporting certificates instead of the user's itself.

This vulnerability can be classified as 'design flaw' lacking authentication check upon accessing the file systems. The vulnerable window form is not tied to the realm of authentication domain.

Check:

The above finding can mostly be missed in normal pentest where a  pentester and the target application are the only actors.  However, Spiderlabs researchers managed to test the target application in different environment settings under their control. Thus, it is essent…

Profense Web Application Firewall and Load Balancer multiple vulnerabilities

Advisory
Joint Trustwave's SpiderLabs Security Advisory TWSL2009-001 and
EnableSecurity Advisory ES-20090500: Profense Web Application Firewall
and Load Balancer multiple vulnerabilitiesPublished: 2009-05-19 Version: 1.0

https://www.trustwave.com/spiderlabs/advisories/TWSL2009-001.txt




Analysis


We noted that researchers from Trustwave and EnableSecurity were able to bypass the protection of
Profense Web Application Firewall.The following words caught our attention:"Inserting extra characters in the JavaScript close tag" </script ByPass>)"pattern matching in multi line mode matches any non-hostile line and marks the whole request as legitimate. by making use of a URL-encoded new line character" (Logic Flaw)Sample exploits that bypass the defense:


xss.php?var=abcdef%3Cembed%3Eaaaaaaa%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3Exss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPassCheckIt's necessary to test web application firewalls with various pay…

Payment / Banking sites with vulnerable SSL issues

Although there are official compliance and policies that every financial institution must use strongly encrypted channels for sensitive information transfer, we have been seeing the use of relatively less stronger encryption cipher strengths and unpatched flaws such as SSL Renegotiation Bug in payment /banking related sites depending on the countries/IPs they're hosted.
To make concerned people aware of the issues, we've prepared a list of some vulnerable banking sites snapshot via ssl labs.
Rating A but vulnerable to SSL Renegotiation Attack Barclays Bank UKibank.barclays.co.uk UOB Bank pib.uob.com.sg OCBC Bank ocbc.com HSBC Bank US us.hsbc.com HSBC Bank UK hsbc.co.uk Ever Bank www.everbank.com NatWest Bank natwestibanking.com Citizens Bankcitizensbankonline.com Summit Banksummitbankdirect.com Tai Fung Bank taifungbank.com United One Credit Union - www.unitedone.org eAdvantage Internet Bankingcib-maintpg.ibanking-services.com Isle of MAN Bankwww.iombankibanking.com RBS International Bankwww.…