Showing posts from December, 2010

Microsoft's Recommendation on View State Mac

Advisory Trustwave's SpiderLabs Security Advisory TWSL2010-001: Multiplatform View State Tampering Vulnerabilities Published: 2010-02-08 Version: 1.1     Analysis   Wrong or inadequate recommendations from Vendor can play a vital role in its customers who might always stay compliance with vendor' documentation and recommendation. Researchers from SpiderLabs pointed out:   "A vulnerability was alluded to in a 2004 Microsoft article on troubleshooting view state problems [1]. However, other Microsoft documents recommend disabling view state signing "if performance is a key consideration," [2, 3, 4] or for various other reasons [5, 6].  Realistically, unsigned view states should never be used in a production environment."  

Web Service Hijacking in VMWare WebAccess

Advisory: Trustwave's SpiderLabs Security Advisory TWSL2010-002 Web Service Hijacking in VMWare WebAccess Published: 2010-03-30 Version: 1.0 Analysis: Web application developers tend to use reversible hash algorithms like Base64, rot13 for hiding sensitive information in POST data and query string. Scanning this kind of web application with automated tools will be a failure and this kind of vulnerability will not be discovered because current web application scanners are programmed to fuzz. Check: Look for all possible encrypted data and their algorithms. Decrypt data and re-submit with tampered data. Learn application behavior whether it fullfills your tampered request or not. Related: This vulnerability can be logically related to view state tampering of ASP.Net/JSF/JSP where developers mostly store sensitive information in View State data.

Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate

Advisory: Trustwave's SpiderLabs Security Advisory TWSL2010-007: Passlogix v-GO Self-Service Password Reset Bypass via Invalid SSL Certificate Published: 2010-12-10 Version: 1.0 Analysis: It appears that the SSL exception window is tied to the target machine. This window itself may be a part of the application, which unfortunately happens to provide a way to browse the target machine file system for exporting certificates instead of the user's itself. This vulnerability can be classified as 'design flaw' lacking authentication check upon accessing the file systems. The vulnerable window form is not tied to the realm of authentication domain. Check: The above finding can mostly be missed in normal pentest where a  pentester and the target application are the only actors.  However, Spiderlabs researchers managed to test the target application in different environment settings under their control. Thus, it i

Profense Web Application Firewall and Load Balancer multiple vulnerabilities

Advisory Joint Trustwave's SpiderLabs Security Advisory TWSL2009-001 and EnableSecurity Advisory ES-20090500: Profense Web Application Firewall and Load Balancer multiple vulnerabilities Published: 2009-05-19 Version: 1.0 Analysis We noted that researchers from Trustwave and EnableSecurity were able to bypass the protection of Profense Web Application Firewall. The following words caught our attention: "Inserting extra characters in the JavaScript close tag" </script ByPass>) "pattern matching in multi line mode matches any non-hostile line and marks the whole request as legitimate . by making use of a URL-encoded new line character" (Logic Flaw) Sample exploits that bypass the defense: xss.php?var=abcdef%3Cembed%3Eaaaaaaa%3Cscript%3Ealert(document.cookie)%3C/script%20ByPass%3E xss.php?var=%3CEvil%20script%20goes%20here%3E=%0AByPass     Check   It's necessary to test web application fi

Payment / Banking sites with vulnerable SSL issues

Although there are official compliance and policies that every financial institution must use strongly encrypted channels for sensitive information transfer, we have been seeing the use of relatively less stronger encryption cipher strengths and unpatched flaws such as SSL Renegotiation Bug in payment /banking related sites depending on the countries/IPs they're hosted. To make concerned people aware of the issues, we've prepared a list of some vulnerable banking sites snapshot via  ssl labs . Rating A but  vulnerable to SSL Renegotiation Attack Barclays Bank UK   UOB Bank   OCBC Bank HSBC Bank US HSBC Bank UK Ever Bank NatWest Bank Citizens Bank Summit Bank Tai Fung Bank United One Credit Union  - eAdvantage Internet Banking Isle of MAN Bank     w