Showing posts from March, 2016

Testing for existence of controls to prevent Self-XSS scam

Prevention against Self-XSS scam should be taken into account if the application is of high value, interconnected with multiple users through forum, messages and the like.

Below is one of screengrab of prevention tip from Facebook:

Sample Code: 
console.log("%cExtra Large Yellow Text with Red Background","background: red; color: yellow; font-size: x-large");


Self-XSS operates by tricking users into copying and pasting malicious content into their browsers' web developer console.[1] Usually, the attacker posts a message that says by copying and running certain code, the user will be able to hack another user's account. In fact, the code allows the attacker to hijack the victim's account.

Testing for default auto generation of credentials

Over the years, in some applications we pentested, credentials are auto-generated.   For the worst case scenario,  some of those applications never enforced expiration of passwords to life-time (aka only upon user's demand).

When we analysed a large of number of samples, we found the following common patterns:

Common username patterns:

1. Derived from small number of digits such as 6, 7, 8
2. Derived from first name, last name

Useful tool:

Common password patterns:

1. Derived from small number of digits such as 6, 7, 8
2. Combination of small number of first alphanumeric characters  and digits such as (xwuc7482) and vice versa

Testing for Cryptographic algorithm and hash misuses

Over the years, we have experienced security-aware applications used various forms of encryption/encoding.  In such applications,  we found programmers incorrectly implement cryptographic schemes, either disclosing keys in client-side, keys in json format in server response.

Some of the tools we used:

Bletchley: (analyze -