499 items tagged “security”
2008
the tls report (via) Clever service that analyses a web server’s SSL implementation and grades it based on things like the protocols, certificates, ciphers and key lengths it supports. Includes public reports on the top and bottom 20 sites.
Yahoo! Address Book API Delivered. At last, now there’s no excuse to ask your users for their Yahoo! username and password just so you can scrape their address book.
Scaring people with fullScreen. Unsurprisingly, you can work around the “Press Esc to exit full screen mode” message in Flash by distracting the user with lots of similar looking visual noise. This opens up opportunities for cunning phishing attacks that simulate the chrome of the entire operating system. EDIT: Comments point out that text entry via the keyboard is still disabled, limiting the damage somewhat.
OpenID phishing demo (via) A demonstration of the OpenID man-in-the-middle phishing attack. idproxy.net OpenIDs are immune to this particular variant due to the landing page not asking for your password (the phishing site could still provide their own redesigned landing page and hope users don’t notice though).
A McAfee spokeswoman said the company rates XSS vulnerabilities less severe than SQL injections and other types of security bugs. "Currently, the presence of an XSS vulnerability does not cause a web site to fail HackerSafe certification," she said. "When McAfee identifies XSS, it notifies its customers and educates them about XSS vulnerabilities."
Crossdomain.xml Invites Cross-site Mayhem. A useful reminder that crossdomain.xml files should be treated with extreme caution. Allowing access from * makes it impossible to protect your site against CSRF attacks, and even allowing from a “circle of trust” of domains can be fatal if just one of those domains has an XSS hole.
Django: security fix released. XSS hole in the Admin application’s login page—updates and patches are available for trunk, 0.96, 0.95 and 0.91.
Session variables without cookies. Brilliant but terrifying hack—you can store up to 2 MB of data in window.name and it persists between multiple pages, even across domains. Doesn’t work with new tabs though, and storing JSON in it and eval()ing it is a bad idea—a malicious site could populate it before sending the user to you.
Something you had, Something you forgot, Something you were
How one site dealt with SQL injection attack (via) Horrifying story of developer incompetence from Autoweb: “The contractor had no idea how to find and fix the Web page vulnerability that allowed the SQL injection attack code to execute successfully.”
Mass Attack FAQ. Thousands of IIS Web servers have been infected with an automated mass XSS attack, not through a specific IIS vulnerability but using a universal XSS SQL query that targets SQL Server and modifies every text field to add the attack JavaScript. If an app has even a single SQL injection hole (and many do) it is likely to be compromised.
ISPs’ Error Page Ads Let Hackers Hijack Entire Web (via) Earthlink in the US served “helpful” links and ads on subdomains that failed to resolve, but the ad serving pages had XSS holes which could be used to launch phishing attacks the principle domain (and I imagine could be used to steal cookies, although the story doesn’t mention that). Seems like a good reason to start using wildcard DNS to protect your subdomains from ISP inteference.
PayPal Plans to Ban Unsafe Browsers. At first I thought they were going to encourage real anti-phishing features in browsers, which would be a big win for OpenID... but it turns out they’re just requiring EV SSL certificates which have been proven not to actually work.
Flirting with mime types [PDF] (via) Different browsers have different rules for which content types will be treated as active content (and hence could be vectors for XSS attacks). IE uses a blacklist rather than a whitelist and hence rendered active content for 696 of the tested content types.
CSRF presentation at RSA 2008. It terrifies me how few people understand CSRF, years after it was discovered. I’ll say it again: if you’re a web developer and you don’t know what that acronym means, go spend an hour reading about it—because the chances are your applications are vulnerable.
Hash Collisions (The Poisoned Message Attack). Demonstrates the MD5 weakness by providing two deliberately engineered PostScript documents with the same MD5 hash but radically different rendered output.
Since 9/11, approximately three things have potentially improved airline security: reinforcing the cockpit doors, passengers realizing they have to fight back and - possibly - sky marshals. Everything else - all the security measures that affect privacy - is just security theater and a waste of effort.
Dangers of remote Javascript. Perl.com got hit by a JavaScript porn redirect when the domain of one of their advertisers expired and was bought by a porn company. Nat Torkington suggests keeping track of the expiration dates on any third party domains that are serving JavaScript on your site.
8 More Design Mistakes with Account Sign-in (via) Second of a two part series by Jared Spool. I agree with all of them with the possible exception of #15 which advocates providing a non-email password recovery solution. Security “questions” are usually dreadfully insecure, and introduce the need to lock users out of their accounts after just a few tries.
openid.yahoo.com. Yahoo!’s human readable guide to OpenID, complete with tour. It looks like they’re relying on the “sign-in seal” to protect against phishing.
In my opinion it is better to compare OpenIDs to credit cards. [...] Just as a credit card company may place limit on the level of guarantee, web sites are at liberty to restrict the OpenIDs it will recognize and accept. Just as many of us carry more than one credit card, we may have multiple OpenIDs and use them for different occasions. Just as some department store credit card is not accepted outside of that store, it is possible that IDs issued by some OpenID providers may not be accepted by some sites.
Is your Rails app XSS safe? SafeErb is an interesting take on auto-escaping for Rails: it throws an exception if you try to render a string that hasn’t been untainted yet.
XSS Vulnerabilities in Common Shockwave Flash Files. Is the word “shockwave” still relevant to Flash? Regardless, it turns out Flash can be a serious vector for XSS attacks, and many commonly used components have recently fixed holes (and hence should be updated ASAP).
2007
The backdooring of SquirrelMail. A SquirrelMail developer’s account was compromised and used to insert a backdoor: the other developers initially missed the hole because it used $_SERVER[’HTTP_BASE_PATH’], which can be set with a Base-Path: HTTP header.
David Airey: Google’s Gmail security failure leaves my business sabotaged (via) Gmail had a CSRF hole a while ago that allowed attackers to add forwarding filter rules to your account. David Airey’s domain name was hijacked by an extortionist who forwarded the transfer confirmation e-mail on to themselves.
IPy. Handy Python module for manipulating IP addresses—use IP(ip_addr).iptype() == ’PUBLIC’ to check that an address isn’t in a private address range.
Why the h can’t Rails escape HTML automatically? It would be a pretty huge change, but auto-escaping in Rails 2.0 could close up a lot of accidental XSS holes.
Why Virtual Theft Should Matter to Real Life Tech Companies. Interesting trend: sites that profit from sales of virtual goods (such as Habbo Hotel) are seeing users use phishing attacks to steal those goods from each other.
I don't understand why the NSA was so insistent about including Dual_EC_DRBG in the standard. It makes no sense as a trap door: It's public, and rather obvious. It makes no sense from an engineering perspective: It's too slow for anyone to willingly use it. And it makes no sense from a backwards-compatibility perspective: Swapping one random-number generator for another is easy.
Django Changeset 6671. Malcolm Tredinnick: “Implemented auto-escaping of variable output in templates”. Fantastic—Django now has protection against accidental XSS holes, turned on by default.