Posts

Showing posts from March, 2011

Crazy Verification and a pile of 'root' passwords

Analysis

Nowadays we guys have our own web sites and remote VPSes. We all have once worked or have been working with hosting vendors. One of the worst mistakes see very often is their support personnel on web based support systems. They asked customers to provide their root password, cpanel/plesk passwords  and many. They say the reason they ask user credential is to verify the owners of domains/IPs customer claims 'ownership'. We know all these are like saving passwords in a text editor in plain text way. Avoid this kind of vendors with stupid support staffs or stay away from revealing your passwords in this plain stupid way.

Risk

It's been known that keeping sensitive data in plain text is an ill mistake which poses a direct 0wnage if attackers can find where they reside. Attackers who compromise one of support personnel accounts or entire web-based support application would gain access to these pile of root passwords, too.

Solution


Tie the support ticket authentication to ex…

Anti-CSRF Defense: HTTP_Referer Check, A Common Mistake

Simply validating hostname in HTTP Referer, a widely deployed quick anti-csrf defense, can easily be bypassed if not correctly done.

http://yehg.net/lab/pr0js/training/view/misc/PHPNuke_8x_Anti-CSRF-Bypass/

[Book-Review] Detecting Malice

http://www.detectmalice.com/

This book is written solely for web security administrators and forensics investigators who can deeply track down web attackers from various situations and perspectives. It explains some of well-known web attacks and web reconnaissance probing from bad guys and how you can know their actions and further post-actions. RSnake emphasizes on detecting anomalies in details of web requests to detect web malice. In order to detect such, one needs to have somewhat comprehensive knowledge in today's web black arts stated in his book.