Tuesday, December 28, 2010

Microsoft's Recommendation on View State Mac


Trustwave's SpiderLabs Security Advisory TWSL2010-001:
Multiplatform View State Tampering Vulnerabilities
Published: 2010-02-08 Version: 1.1
Wrong or inadequate recommendations from Vendor can play a vital role in its customers who might always stay compliance with vendor' documentation and recommendation.
Researchers from SpiderLabs pointed out: 
"A vulnerability was alluded to in a 2004 Microsoft article on
troubleshooting view state problems [1]. However, other
Microsoft documents recommend disabling view state signing
"if performance is a key consideration," [2, 3, 4] or for
various other reasons [5, 6]. 
Realistically, unsigned view states should never be used in a production environment."

Web Service Hijacking in VMWare WebAccess

Trustwave's SpiderLabs Security Advisory TWSL2010-002
Web Service Hijacking in VMWare WebAccess


Published: 2010-03-30 Version: 1.0


Web application developers tend to use reversible hash algorithms like Base64, rot13 for hiding sensitive information in POST data and query string. Scanning this kind of web application with automated tools will be a failure and this kind of vulnerability will not be discovered because current web application scanners are programmed to fuzz.


Look for all possible encrypted data and their algorithms.
Decrypt data and re-submit with tampered data.
Learn application behavior whether it fullfills your tampered request or not.


This vulnerability can be logically related to view state tampering of ASP.Net/JSF/JSP where developers mostly store sensitive information in View State data.

Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate

Trustwave's SpiderLabs Security Advisory TWSL2010-007: Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate
Published: 2010-12-10 Version: 1.0


It appears that the SSL exception window is tied to the target machine.
This window itself may be a part of the application, which unfortunately happens to provide a way to browse the target machine file system for exporting certificates instead of the user's itself.

This vulnerability can be classified as 'design flaw' lacking authentication check upon accessing the file systems. The vulnerable window form is not tied to the realm of authentication domain.


The above finding can mostly be missed in normal pentest where a  pentester and the target application are the only actors.  However, Spiderlabs researchers managed to test the target application in different environment settings under their control. Thus, it is essential to consider what environmental factors may interfere with the target application logics and workflow. Draw test cases. Examine and study the application behaviors.

Monday, December 27, 2010

Profense Web Application Firewall and Load Balancer multiple vulnerabilities


Joint Trustwave's SpiderLabs Security Advisory TWSL2009-001 and
EnableSecurity Advisory ES-20090500: Profense Web Application Firewall
and Load Balancer multiple vulnerabilities
Published: 2009-05-19 Version: 1.0



We noted that researchers from Trustwave and EnableSecurity were able to bypass the protection of
Profense Web Application Firewall.
The following words caught our attention:
  1. "Inserting extra characters in the JavaScript close tag" </script ByPass>)
  2. "pattern matching in multi line mode matches any non-hostile line and marks the whole request as legitimate. by making use of a URL-encoded new line character" (Logic Flaw)
Sample exploits that bypass the defense:

It's necessary to test web application firewalls with various payloads by transforming existing known attack vectors into various encoding formats and forms.
It's not enough to try payloads straightly from available XSS Cheatsheets:
- http://ha.ckers.org/xss.html#XSS_Extraneous open brackets
- http://ha.ckers.org/xss.html#XSS_Embeded_newline


Monday, December 6, 2010

Payment / Banking sites with vulnerable SSL issues

Although there are official compliance and policies that every financial institution must use strongly encrypted channels for sensitive information transfer, we have been seeing the use of relatively less stronger encryption cipher strengths and unpatched flaws such as SSL Renegotiation Bug in payment /banking related sites depending on the countries/IPs they're hosted.

To make concerned people aware of the issues, we've prepared a list of some vulnerable banking sites snapshot via ssl labs.

Rating A but vulnerable to SSL Renegotiation Attack
Barclays Bank UK  ibank.barclays.co.uk 
UOB Bank pib.uob.com.sg 
OCBC Bank ocbc.com
HSBC Bank US us.hsbc.com
HSBC Bank UK hsbc.co.uk
Ever Bank www.everbank.com
NatWest Bank natwestibanking.com
Citizens Bank citizensbankonline.com
Tai Fung Bank taifungbank.com
United One Credit Union - www.unitedone.org
eAdvantage Internet Banking cib-maintpg.ibanking-services.com
Isle of MAN Bank   www.iombankibanking.com
RBS International Bank  www.rbsiibanking.com
Peoples National Bank cibng.ibanking-services.com
CIMB Bank (SG) cimbclicks.com.sg
Nets (SG)  www.nets.com.sg
Rating B [Weak Cipher Support+SSL Renegotiation]
HSBC Bank HongKong hsbc.com.hk
Discover Bank www.discoverbank.com 
MilliKart Bank millikart.az
Rating C [Weak Cipher Support]
HSBC Main Site www.hsbc.com   (vulnerable to SSL Renegotiation Attack)
Bank Of America www.bankofamerica.com
Deutsche Bank India Branch login.deutschebank.co.in
RBS (Romania) ibanking.rbs.ro  (vulnerable to SSL Renegotiation Attack)
Reg CIMB Bank (Thai) cimbthai.com
Bhutan National Bank bnb.com.bt (vulnerable to SSL Renegotiation Attack)
Hume Building Society - humebuild.com.au
Standard Chartered Online Banking  standardchartered.com.sg
St. George Bank  stgeorge.com.au

Rating D [Weak Cipher/Protocol/KeyStrength Support]
Mutual Trust Bank mutualtrustbank.com
Leon Bank www.leon.com.do
War Wick Credit Union  warwickcreditunion.com.au
Oriental Bank  www.obconline.co.in

secure configurations for Laravel - The PHP Framework

This framework is makes security simple to achieve.  Out of all non-default settings, the little following can be set to achieve higher secu...