Thursday, March 24, 2011

Crazy Verification and a pile of 'root' passwords

Analysis

Nowadays we guys have our own web sites and remote VPSes. We all have once worked or have been working with hosting vendors. One of the worst mistakes see very often is their support personnel on web based support systems. They asked customers to provide their root password, cpanel/plesk passwords  and many. They say the reason they ask user credential is to verify the owners of domains/IPs customer claims 'ownership'. We know all these are like saving passwords in a text editor in plain text way. Avoid this kind of vendors with stupid support staffs or stay away from revealing your passwords in this plain stupid way.

Risk

It's been known that keeping sensitive data in plain text is an ill mistake which poses a direct 0wnage if attackers can find where they reside. Attackers who compromise one of support personnel accounts or entire web-based support application would gain access to these pile of root passwords, too.

Solution


Tie the support ticket authentication to existing cPanel/Plesk authentication system so support staffs can ensure that those who request help are those who own the owners of the claimed domains/IPs. Use a dedicate secure server to store such clients' account credentials for staffs and clients to go in and edit for support matters.




Anti-CSRF Defense: HTTP_Referer Check, A Common Mistake

Simply validating hostname in HTTP Referer, a widely deployed quick anti-csrf defense, can easily be bypassed if not correctly done.

http://yehg.net/lab/pr0js/training/view/misc/PHPNuke_8x_Anti-CSRF-Bypass/

Sunday, March 6, 2011

[Book-Review] Detecting Malice

http://www.detectmalice.com/

This book is written solely for web security administrators and forensics investigators who can deeply track down web attackers from various situations and perspectives. It explains some of well-known web attacks and web reconnaissance probing from bad guys and how you can know their actions and further post-actions. RSnake emphasizes on detecting anomalies in details of web requests to detect web malice. In order to detect such, one needs to have somewhat comprehensive knowledge in today's web black arts stated in his book.

secure configurations for Laravel - The PHP Framework

This framework is makes security simple to achieve.  Out of all non-default settings, the little following can be set to achieve higher secu...