Sometimes no Ninja skill is required to receive money from security bug bounty programs!

My name has recently been added to the “Facebook Whitehat (http://www.facebook.com/whitehat)” page among the other security researchers that have reported security issues to Facebook directly. I have also received a very good reward for this; it took them several months to investigate my request, but it was worth it.
I am writing about it here to say you do not always need to know how to code or have ninja skills to find the bugs like this; I want to encourage everyone to participate in security bug bounty programs to help the companies to be more secure and earn money at the same time!

After all, here are the details (this bug has already been patched by Facebook):
Title of reported issue: “How to find unsearchable people by their emails in Facebook”
In order to search someone -even if they made themselves unsearchable with hidden emails- by their email addresses, it was possible to do the following steps:
1- Login into your Facebook account (you need to have an activated account with a verified email).
2- Open the following page: https://www.facebook.com/ads/manage/settings.php
3- Now under the “Permissions” section, click on “Add a User”.
4- Enter the email address that you are looking for in the box and click on “Add” and wait to see the response (it is better to choose “Reports Only” instead of “General User”). If you have not received “Invalid User” error, it means you were successful.
5- Now after refreshing the page, you should be able to see the requested user under the “Permissions” area.
6- If you click on the user’s name, you should be able to see his/her public profile.
By using this method, you could be able to find First Name, Last Name, and Facebook User ID of the user just by having his/her email address.

Recommendation to the users:
- It is always better to use a private email address in social networking websites if you really want to be unsearchable.

Recommendation to the Developers in similar situation:
- If there is any policy in the application, it should apply to all different parts of it. I suggest using the shared secure libraries that meet the requirements is one of the best options.

Flash ExternalInterface.call() JavaScript Injection – can make the websites vulnerable to XSS

Introduction:

This post is a result of reading the following useful report:

The other reason to beware ExternalInterface.call() (http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html)

The issue that I want to discuss here is not something different; however, I want to add something to the current materials.

Description:

According to the Adobe website, ExternalInterface.call() can accept a JavaScript function name as the first argument and a string which would be sent to that JavaScript function. Adobe says “When the call is to a JavaScript function, the ActionScript types are automatically converted into JavaScript types; when the call is to some other ActiveX container, the parameters are encoded in the request message.”. Therefore, in our case, the string would be converted into JavaScript type.

All we are trying to say is that it is possible to inject a specific parameter to an input and change the way of running the JavaScript. I should say it is very similar to the current code Injection methods in which we actively change the queries/requests to run whatever we want!

Proof of Concepts:

I want to explain it by using the example that Adobe has put in its document. I have put all the files in the following URL: http://0me.me/demo/adobeflash/ExternalInterface.call/ . Please use Mozilla Firefox if you want to see the same error messages as this PoC.

Now follow these steps:

1- Open this link: http://0me.me/demo/adobeflash/ExternalInterface.call/demo.html

2- Enter “\”” in the flash box (dark box) and press the gray button in front of it:

3- Now, you should be able to see this error in Error Console:

As you can see, we could escape the slash character “\” which was for escaping the double quotation character. Therefore, we are able to inject our JavaScript here now.

4- Now, try to enter “\”));alert(/XSS/)}catch(e){}//” in that box and press the gray button. You should be able to see the alert message:

It is because of the fact that we could complete the main functions and comment the remaining bits which is the method of code injection.

Now, you may think that we need to have a valid JavaScript function in the page or you may even think we always need to have a HTML file. I will explain this in the next section and I will prove that you can execute a JavaScript code even by running the SWF file directly without using any HTML file or JavaScript function.

Run the flash file directly now:

Now I want to add this bit that we do not need to have a real JavaScript function or a HTML page to execute a JavaScript code under the website content. In this case we only need to put the JavaScript code inside the “catch” section. This is the PoC:

1- Open this URL: http://0me.me/demo/adobeflash/ExternalInterface.call/ExternalInterfaceExample.swf

2- Now, enter the following text in the box and press the button:

“\”));alert(/XSSThis/);}catch(e){alert(/XSSOr/)}//”

3- You should be able to see this message now:

As a result, we can do a XSS attack just by opening a vulnerable or malicious/uploaded SWF file.

Note: you may have problem with closing the alert window in some browsers.

Why can this be a risk?

The websites which are using ExternalInterface.call() with the user’s provided input -without having input validation- can be in risk of having XSS vulnerability. Besides, an attacker can upload a malicious SWF file when a website lets him/her do so in order to make the website vulnerable to XSS attack – in this case I should say, an attacker might be able to do more than a XSS by uploading a SWF file.

Solution(s):

If we think about this code injection, it is really another input validation issue. It again says that the developers must not trust the provided inputs and we certainly need to have input validation when we receive the user’s input.

Note: Regarding the main reference of this text, Adobe has not accepted this as an issue to fix it fundamentally yet.

References:

- The other reason to beware ExternalInterface.call() http://lcamtuf.blogspot.com/2011/03/other-reason-to-beware-of.html

- Agora 3.0.0 RC1 Rev.4 XSS Vulnerability http://jeffchannell.com/Joomla/agora-300-rc1-rev4-xss-vulnerability.html

- Finding Vulnerabilities in Flash Applications http://www.owasp.org/images/d/d8/OWASP-WASCAppSec2007SanJose_FindingVulnsinFlashApps.ppt

- Cross-Site Scripting through Flash in Gmail Based Services http://blog.watchfire.com/wfblog/2010/03/cross-site-scripting-through-flash-in-gmail-based-services.html

- ActionScript 3.0 Language and Components Reference http://livedocs.adobe.com/flash/9.0/ActionScriptLangRefV3/flash/external/ExternalInterface.html

- Code Injection http://en.wikipedia.org/wiki/Code_injection

Travian Game Patch – Finally!

Here are the details of recent security patch of Travian game: http://forum.travian.com/showthread.php?p=1728991

There was a Cross Site Scripting (XSS) vulnerability in hero’s mansion rename section. This issue was because of using “id” and “gid” input parameters at the same time. “gid” was used for loading the hero’s mansion, and “id” was used to insert a Javascript code. You can only see one of them as an input for a single file at the same time. However, I used them together and found this vulnerability:

http://sN.travian.EXT/build.php?gid=37&id=<script here>&rename

As there was a “httponly” flag for the cookies, it was not possible to hijack the sessions. However, we could still use it to do several things. The simplest one was to hijack the saved username/password from the browser. I should say that there was another issue with the login page last year based on which someone could create the Travian cookie and log into the system by the victims session.

There was also another issue with validation of unique email addresses by which a user could create several accounts with the same email address. It was sufficient to enter a “comma” in front of the email address to have a new valid email address. For example someone could register several times without having any problem in receiving the confirmation code by using “test@secproject.com”, “,test@secproject.com” , “,,test@secproject.com”, and so on.

Fortunately these issues have been patched after more than a year. This delay was only because of not having a direct reference to contact as no one/source was publicly responsible for the security issues.

These issues go back to June 2009. Related Link: http://soroush.secproject.com/blog/2009/11/travian-game-vulnerabilities-in-progress/

Note: I highly suggest the providers to put at least one email address in their contact page for normal bugs and security issues. They should also have a process to fix a security issue and give its credit to the finder(s) somehow (by putting the finder’s name in the website news, release notes, …) if they do not want to pay for their vulnerabilities! It is a pain when the security researchers can only see sale and marketing email addresses in many of the providers’ contact pages; and that’s why too many of these security issues are being published before having any patch every day.

Unrestricted File Download V1.0 – Windows Server

Downlaod the PDF file: http://soroush.secproject.com/downloadable/Unrestricted_File_Download_V1.0.pdf

Unrestricted File Download V1.0 – Windows Server

I do not want to talk about Insecure Direct Object References without any protection as they are obviously exploitable; Instead, I want to talk about bypassing the protected ones! The problem that I want to explain here is how hard it is to protect a system that uses Insecure Direct Object References by using black-list technique.

Whenever penetration testers see a website which accepts a path as an input, they think about these questions:

1- Can I have access to the secret files?

2- Can I do directory traversal?

3- Can I modify another file?

4- Can I do race condition?

And so on.

The answer from programming point of view is: “it depends!”:

1- If they have no protection in-place: “Yes. Yay!”

2- If they are using black-list method: “Think about a bypass now! There should be a way and I just need to find it! Think about encodings, decoding, effective characters, behaviour of the system against special characters, and so on.”

3- If they are using white-list method: “Is there anything on the list that can be misused? Can I stick some of them together to make another character or change the behaviour of the system?”

My point is that there is often a way to bypass a black-list. However, it is not the same for white-list if you do it correctly.

Let’s Bypass a Blacklist Method

Now, I want to use a case to show an example of using black-list, and methods of bypass.

Assume we have “www.vulnerable.com/download.aspx” which accepts a file path as an input and reads it and loads it into the output. (To make it easier, “/upload” folder is on the root of the website)

For example: “/download.aspx?file=/upload/document.doc”

Now, if you try the following inputs, you will receive an “access denied” error from the page:

“/download.aspx?file=web.config”

“/download.aspx?file=download.aspx”

“/download.aspx?file=/download.aspx”

But, if you try the following inputs, you will receive a “file not found” error or a blank-page from the page:

“/download.aspx?file=test.doc”

“/download.aspx?file=/upload/../test.txt”

“/download.aspx?file=/test.f0ob4r”

According to the response of the page, obviously, it is using a black-list method.

These are the first things that I can think about (my pre-test-cases):

0- Use uppercase, lowercase, and Unicode in the extension. For ex: “/download.aspx?file=/wEB.CoNfiG” and so on.

1- As you might know, there are some characters after the filename that will be ignored by Windows. So, I should try something like “/download.aspx?file=/web.config.” or “/download.aspx?file=/web.config… ..”

2- Using short filename format of the file: “/download.aspx?file=/web~1.con”

3- Using null character: “/download.aspx?file=/web.config%00.txt”

4- Using another extension in the path: “/download.aspx?file=/test.txt/../web.config”

5- Using different space characters in the path: “/download.aspx?file=/web.config%09”, “/download.aspx?file=/web.config%0a”, “/download.aspx?file=/web.config%0b”, “/download.aspx?file=/web.config%0c”, “/download.aspx?file=/web.config%0d”, “/download.aspx?file=/web.config%20”, and so on (similar to 1).

6- Finding a character that is removed by the web application automatically before loading a file to put it in the extension and bypass the black-list protection.

7- Try alternate data stream to read the files: “/download.aspx?file=/web.config::$Data”

8- Try to use direct path and share path. Ex: “/download.aspx?file=c:\\windows\\win.ini”, “/download.aspx?file=\\?\c:\\windows\\win.ini”, or “/download.aspx?file=\\127.0.0.1\c$\WINDOWS\\win.ini”

9- Try to do directory traversal. Ex: “/download.aspx?file=../../../../../../../../../../../boot.ini”

10- Try other file-system understandable vectors. Ex: “/download.aspx?file=web.config/.”, “/download.aspx?file=web.config\.”, and so on (similar to 1).

And combination of the above solutions to create more complicated test cases!

What do you think? Please let me know if you know any other interesting test case. This is the result:

0	Successful: Web.config was downloaded
1,2	Failed: Show the source code in error message. Error: “Failed to map the path”
3,7,8	Failed: Show the source code in error message. Error: “is not a valid virtual path”
4	Failed: Access Denied
5	Successful: Web.config was downloaded
6	Failed: No character was found
9	Failed: Show the source code in error message. Error: “Cannot use a leading .. to exit above the top directory”
10	Successful: Web.config was downloaded. Some new vectors were found: “?file=\.”, “?file=/.”, “?file=/\./\.”

Each of the above vectors could lead to bypassing the protection. Now, I can tell you that the actual vulnerable source code of the page was:

10 string fileName = Request.Params["File"];20 if (ForbidenExtentions.Contains(fileName.Substring(fileName.LastIndexOf(“.”)))) 30 { 40 HttpContext.Current.Response.Redirect(“~/CustomError.aspx?msg=ForbidenFileDownload”); 50 } 60 if((fileName != null) && (fileName != “”)) 70 { 80 string strPath = Server.MapPath(“/” + fileName); 90 if(System.IO.File.Exists(strPath)) 100 { …

And, we can download the confidential files with different vectors (see number 0, 5, and 10 on the table above). Now, an attacker can download the entire website and look for the credentials, hidden files and folders, and find any other vulnerability such as SQL Injection by having the source code.

Secure and Effective Solution

Now, what can we do to stop this attack? These are the general solutions:

1- Do not use direct object references when it is possible:

For indirect references, use something random, hard to guess, and meaningless such as GUIDs. You need to implement more functions and invest more time on programming and debugging. However, your achievements are:

1.1- Increasing the Security by using strong random pointers such as GUIDs

1.2- Easier asset managing and have different access controls

2- Force yourself to always use white-lists:

It is very rare that you have to only use a black-list for an input! If an input is random and unpredictable, you may need to redesign that input. Write down the input purpose(s) and do whatever you can to restrict it to a range of characters. Now, think about this range and review the characters one by one. Is there anything in the list which can cause an issue? Do you need to allow any other characters besides [a-zA-Z0-9]? Why? Think about it and follow the best security practices.

Sometimes you need to use blacklist after passing the input from a white-list to have more security. For example: an input can contain a file path. Therefore, we should allow dot “.” character. However, we should not allow any double dot “..” as it can cause directory traversal.

If you are designing a system, look for the vulnerabilities which have been reported on the similar systems in Internet. You may find something that you had not had any knowledge about it before! Do not think that you know everything! Even a semi-colon or colon can compromise your system sometimes.

Talk about your system with the security people; with experts (not script kiddies). You can ask your questions in different security forums to find a clue. Ask them to break your protection to improve the security.

Note 1: a bad implementation is worse than not having any implementation! When you don’t have any protection, at least you know you do not have anything to protect yourself and the system is unsafe!!! However, when you have an insecure/bad implementation, you think the system is safe enough but it is not, and attackers will find this out – trust me!

Note 2: If you are putting different inputs next to each other, it is better to pass them at least through a black-list protection after concatenation.

Now, without using an indirect reference, two solutions for our vulnerable example (“www.vulnerable.com/download.aspx”) can be:

Solution 1 (More White-list – more restricted):

1- Replace all the “/” with “\” character in order to make the validation easier (for Windows OS). (Black-List)

2- Replace all the dot characters before the backslash character (“.\”) with a single “\” character in order to make the validation easier. (Black-List)

3- Only accept limited characters as an input: RegEx: (([a-zA-Z0-9][\.]{1})|[a-zA-Z0-9\\])*

4- File name should start with: RegEx: ^[a-zA-Z0-9\\] (White-list)

5- File name should end with: RegEx: [a-zA-Z0-9]$ (White-list)

Then a general ReGex will be (include 3, 4, and 5): ^([a-zA-Z0-9\\]{1})(([a-zA-Z0-9][\.]{1})|[a-zA-Z0-9\\])*([a-zA-Z0-9])$ (White-list)

6- Find the file extension by using the last dot “.” character of the file. This extension should be in the list of allowed extensions such as “gif”, “jpg”, “doc”, “docx”, “pdf”, “rtf”, and so on. (White-List)

Limitation: It is not possible to use Unicode or special characters in the file or the directory name.

Solution 2 (More Black-List – less restricted):

1- Trim the input to remove unnecessary spaces (Black-List)

2- Replace all the “/” with “\” character in order to make the validation easier (for Windows OS). (Black-List)

3- Replace all the “..” with “.” character in a loop till you cannot find any “..” anymore. (Black-List)

4- Replace all the space and dot characters before and after the “\” character with a single “\” character in order to make the validation easier. (Black-List)

5- Replace all the “\\” with “\” character in order to make the validation easier. (Black-List)

6- Path should not contain these characters: RegEx: [^:*?"<>|;~] – (for Windows OS)

7- Find the file extension by using the last dot “.” character of the file. This extension should be in the list of allowed extensions such as “gif”, “jpg”, “doc”, “docx”, “pdf”, “rtf”, and so on. (White-List)

Quick Conclusion:

Stop using blacklist protections for direct object references if you cannot use indirect ones. Moreover, do not forget to talk to the specialists to implement it correctly.

Final Words

Please send me your feedbacks via my email address (irsdl at yahoo dot com) to improve this white-paper. You can use whole or part of this document by putting a reference to the author (Soroush Dalili) and link of the main document.

Currently just by using Google, a lot of vulnerable websites and Content Management Systems (CMS) can be found. If you find an issue based on the content/idea of this paper in a permitted system (such as your website CMS), please report it to its legal authority to patch the system as soon as possible; and I would be thankful if you put a link to this document as a reference in your advisory.

However, please do not use this knowledge against any website or system without having a legal permission. And, I do not accept any responsibility for any usage from this white-paper and its content/idea.

Reference(s):

- OWASP, Unrestricted File Upload: http://www.owasp.org/index.php/Unrestricted_File_Upload

—
Downlaod the PDF file: http://soroush.secproject.com/downloadable/Unrestricted_File_Download_V1.0.pdf
—
Backup link is also available: http://0me.me/files/soroush.secproject.com/Unrestricted_File_Download_V1.0.pdf

Facebook Redirect Link – New Bypass Method – “:/” after the domain name

Facebook is using “facebook.com/l.php?u=THE_External_URL” whenever you click on an external link; and as a result:
1- Your current page won’t be sent via the “Referer” section of the HTTP header. So, it is useful for the privacy.
2- It is possible to stop malicious or unwanted links by using a single point (“l.php” page).

Now, I want to show a flaw in this process in which by clicking on an external URL in Facebook, users can go directly to the destination URL without passing the “facebook.com/l.php” page:

Add a “:/” at the end of the domain name! That’s it!
PoC:
Put these links in a comment section on your Facebook page and click on them too see the result (If you know how to work with local proxy tools such as burp suite, you can directly post a link on your wall [not just in comment section] with “:/” in the URL to exploit this flaw):
     - https://fp.auburn.edu:/oit/show_server_variables.asp
     - http://soroush.secproject.com:80:/

Now, do not click on the links which have “:/” after the domain name with or without port number! (18 Dec. 2010)

NOTE: This issue had been reported to Facebook at least twice more than 1 month ago without having any response.

JSReg Bypasses – OLD

Sorry for the delay as I am/was too busy. Some of my friends had asked me to write about bypassing the JSReg in Hackvertor.com based on a challenge which was on sla.ckers.org forum by Gareth Heyes.

However, Gareth Heyes has already written great things about it that I can just refer you to the pages (instead of writing it again):

http://www.thespanner.co.uk/2010/10/31/jsreg-bypasses/
http://rgaucher.info/planet/The_Spanner/2010/11/07/Soroush_Dalili_breaks_JSReg_again

Gareth is writing these functions alone, so if you have any great idea please let him know. He is a nice and clever guy; so, do not miss your chance to have a great friend!

Again, thanks Gareth.

Skype Privacy Concern: It sends detected numbers + URLs to its server!

Default installation of the Skype installs Skype Add-On (Plug-In) on the browsers. After that, if you browse a page, most of the telephone numbers will be detected.

For example:

And look at this if you currently have installed a Skype on your computer: 0044-7987654321

Now the problem is: Skype always sends all of these selected numbers to one of its servers “pnrws.skype.com”. The worst thing is that they are actually sending the page URL in “referrer” section of the header as well. As a result, Skype server can log all of this information with IP address of the user to track a user or to identify a person. And the question is why Skype needs this information?

For proof of concept, I will put a phone number in a Facebook page and monitor the HTTP requests by using Fiddler. The result has been shown in the following images (if you cannot see the images, your ISP has been blocked by GoDaddy):

Facebook page:

In Fiddler:

As you can see, my Facebook URL and the phone number are sent to the Skype server.

However, I think number detection of Skype Add-On does not send more important information such as credit card numbers!

Now, if you are a bit concern about your privacy, just disable the Skype Add-Ons (Plug-Ins) in your browsers.

Please let us know if you know how Skype uses this information and why Skype needs this information.

How Secunia PSI put the privacy in danger

“The Secunia PSI software is a free security tool designed to detect vulnerable and out-dated programs.” Although this application is very useful to secure a computer by keeping it up to date, unfortunately it will put the user’s or company’s privacy in danger. Based on the latest post in the following URL, user’s information “is never passed on with personally identifiable information (such as the usernames in path names)”:

http://secunia.com/community/forum/thread/show/4951/secunia_psi_how_to_delete_information

I want to prove that the Secunia PSI actually passes the following information which can be treated as a confidential data for a company or causes privacy issues for a real person:

1- Domain Name or Workgroup Name (“langgourp”)

2- Computer Name (“hostname”)

3- Username (as there are special files on “Application Data” directory such as Mozilla Firefox “extensions” folder which should be listed by using Secunia PSI)

4- List of directories of the hard disk which contain some special name with extensions such as “exe”, “dll”, “ocx”, and so on. Some of these directories can contain important information such as the personal names, project names, company names, and so on.

My proof is very simple and you can do it yourself. As Secunia PSI is based on a Web Application, all of its messages to its server can be monitored by using Fiddler HTTP Debugging Proxy which is absolutely free: http://www.fiddler2.com/Fiddler2/version.asp

Now follow these steps:

- Scanning the computer once by using the Secunia PSI (If it is the first time)

- Close the Secunia PSI application completely from the task manager

- Open Fiddler and go to “Tools”> “Fiddler Options”> “HTTPS”> and select “Decrypt HTTPS traffic” option and click on “OK”

- Now, open Secnuia PSI application again

- Monitor its behavior by using Fiddler. If there isn’t anything on Fiddler, click on “Start Scan” button of Secunia PSI to scan your computer.

- Now, look at the responses from the Secunia server. As you can see there are information of your computer in responses which means the Secunia server has stored them on its database.

For example, look at the following images (if you cannot see the images, your ISP has been blocked by GoDaddy):

Now, my recommendation for Secunia is to use a local database on each computer to keep location of files and folders private. The only thing that should be passed to the server is the user ID, signature (hash) of the application, and file or application ID which can be linked to the database in order to find the exact place of that files and/or folders on the local computer. Moreover, I cannot understand why it needs to send the Domain/Workgroup Name and the Computer name to its server (maybe it is used for copyright!).

My suggestion to the users: Currently – 1^st Dec. 2010 -, using Secunia PSI for those people who want to be anonymous and those companies which want to keep all of their information private is a nightmare and this application should be removed. Ask Secunia to fix this issue.

Hope to see a better Secunia PSI soon.

Cross Site Request Forgery (CSRF) PoC Template (by Javascript)

“Cross Site Request Forgery (CSRF) PoC Template (by Javascript)” project page has been updated.

Please visit the project section:

http://soroush.secproject.com/blog/projects/csrf_poc_template/ 

---

@ScriptName: Cross Site Request Forgery (CSRF) PoC Template 
@Purposes: For any Legal/Ethical Educational Security Researches Only (without any WARRANTY). You can create your own CSRF PoCs by using this template. Author does not accept any responsibility or liability for the use or misuse of this code. 
@Website: http://soroush.secproject.com/blog/projects/csrf_poc_template/ 
@Code: https://code.google.com/p/csrf-poc-template-by-js/

---

Clicking on an offline message link in Yahoo Messenger can lead to Session Hijacking

Clicking on an offline message link in Yahoo Messenger is the same as clicking on an unknown link in your yahoo mail! In fact, Yahoo authenticates you before opening the destination link by using this URL:
http://login.yahoo.com/config/reset_cookies_token?.token=[Your Valid Token]&.done=[Destination Link]
Note 1: Fortunately, the destination cannot read your valid token by using referrer section of the HTTP request. However, this valid token is stored at your browser’s history, and if you do not sign-out from Yahoo, it can be dangerous.
Now you may ask why clicking on link while you are authenticating in yahoo is dangerous:
There are a lot of Cross Site Scripting (XSS) vulnerabilities in yahoo.com sub-domains. Some of these XSS attacks are simply detectable by IE8 and/or NoScript (a recommended Mozilla Firefox Add-on), and some aren’t. For example, some of Asian sub-domains of yahoo.com still have SQL Injection. And it is simply possible to cover an XSS attack by using a simple SQL Injection. Moreover, there are some points with different encoded inputs such as UTF-7 or Base64 which can be used to bypass the client-side protections. There are some other types as well that I do not want to talk about them here (I do not want to teach how to find XSS in this post). Some examples: http://www.xssed.com/search?key=yahoo.com

I’m scared. What should I do then?
1- Only open your email in private browsing mode.
2- Do not click on unknown links which are sent to you via offline messages or your email. If you want to open that link, simply open another private browsing and copy/paste that link there to open it. Moreover, you can open those links in a different browser from your open yahoo mail or your default browser.
3- Please always look at the link destination and do not trust its name. For example this link will redirect you to google.com instead of: http://www.yahoo.com/.

I clicked on a link by mistake. What should I do?
1- If you have knowledge of web security, you can open that link while monitoring your browser by using a local proxy such as Fiddler or BurpSuite. You will see if there is any request to yahoo.com or any other domains then.
2- If you are not sure about what you have done, you MUST change your password immediately. This is the only way that you can protect yourself. Even decreasing the life time of your Yahoo session (Cookie) cannot solve your problem.

What will happen if I don’t care?
1- Attackers will have access to your Yahoo.com account without knowing your password. Fortunately, they cannot change your password directly (they still can use forgot password section).

NoScript New Bypass Method by Unicode in ASP

Update:

NoScript v2.0.2.3 does not have this problem anymore. I’m happier now. tnx to its clever author.

As I told Giorgio, all the problems will be reported to him first  

Woohoo! You/We/They/or whatever! can still use unicode in some places!

NoScript cannot find out special unicode characters which mean something in ASP:

PoC:

http://Example.com/VulnFile.asp?DangInput=%u2329scr%u0131pt%u232A%u212Fval(‘alert’%2b’(“NoScript Bypass in ASP!\\nBy Soroush Dalili”)’)%u2329/scr%u0131pt%u232A

In this example I selected the characters from: http://rishida.net/scripts/uniview/uniview.php . For instance:
%u2329 = <
%u0131 = i
%u232A = >
%u212F = e
From Microsoft point of view! Therefore, IE8 XSS prevention can detect this encoding and NoScript cannot detect it.

New update – July 2010

I want to update my blog with this new post:
- I learned good things from BlackHat 2010 although I was not there! JavaSnoop is a great tool by the way. Although there are some minor bugs, this tool is solving many of my problems!

- Some software are immune against my reports like Fortify! I’m not sure if it’s a good thing for them however! This is not my policy!

- Burpsuite Pro is great and I’m waiting for the new version after fixing my issues (current version is 1.3.07).

- A dangerous CSRF vulnerability in Secunia Community has been fixed – in which attacker could change a user’s email address and then use forgot password feature to reset his/her password – immediately after my report.

More info: http://secunia.com/community/forum/thread/show/4856/notification_of_fixed_csrf_issue

- CodeProject.com wants to fix a vulnerability that I’ve reported 1 month ago.

- I’ve reported a Microsoft .Net security vulnerability to them and I’ve just received their first “thank you” email. Now, I’m waiting to see what would happen.

- I reported a dangerous CSRF vulnerability in BlogFa.com to them several months ago. Although they’ve fixed that issue, they did not give me any credit! Should I report their flaws in future? I’m not so sure!

- I want to release a powerful tool for Steganography in text soon! This is my MSc. project that I’ve changed it a bit.

IIS5.1 Directory Authentication Bypass by using ":$I30:$Index_Allocation"

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

Description:
Although IIS5 is very old, finding one is not impossible! Therefore, I want to introduce a technique to bypass the IIS authentication methods on a directory.
This vulnerability is because of using Alternate Data Stream to open a protected folder.
All of IIS authentication methods can be circumvented. In this technique, we can add a “:$i30:$INDEX_ALLOCATION” to a directory name to bypass the authentication.
In a protected folder such as “AuthNeeded” which includes “secretfile.asp”:
It is possible to run “secretfile.asp” by using:
“/AuthNeeded:$i30:$INDEX_ALLOCATION/secretfile.asp”
Instead of:
“/AuthNeeded/secretfile.asp”

More description:
Why IIS6 and 7 are not vulnerable:
- In these versions, IIS does not accept colon (“:”) character from the URL before the querystring.

Why we cannot use “::$Data” in IIS 5.1 anymore:
- IIS rejects the request if its URL contains “::$” (before querystring).

Why IIS5 is vulnerable to “Directory Authentication Bypass” by using “:$I30:$Index_Allocation”:
- IIS only verifies the directory name to check for authentication. Therefore, we can use “http://victim.com/SecretFolder:$I30:$Index_Allocation/” instead of “http://victim.com/SecretFolder” to bypass the authentication.

Is it possible to bypass something else by using “:$I30:$Index_Allocation” on a NTFS partition:
- If a checking is only based on the directory name, it can be bypassed by using this method.

Download this advisory from: http://soroush.secproject.com/downloadable/IIS5.1_Authentication_Bypass.pdf
or: http://0me.me/demo/IIS/IIS5.1_Authentication_Bypass.pdf

Crowzers or Carzy Browsers:

I need to translate this word first:
Carzy Browsers = Crowsers

Now, I want to share some odd behaviour of browsers with you. Let’s make them Crazy!

 1- First, we load a URL in an IFrame. Then, we load another website on the same frame. Now, by using “javascript:window.history.go(0)”, it will change the IFrame SRC to the first URL,  but it keeps the 2nd website on the IFrame!

 Try it here: http://0me.me/demo/crowzers/irsdl/addressbar_halt.html

 Which Browsers?

  - Mozilla Firefox 3.6.6

  - IE7

  - IE8

 2- We want to lock the address bar in different browsers by using “onblur” and “onload” events with “this.focus()”.

 Try it here: http://0me.me/demo/crowzers/irsdl/iframe_src_fool.html

 Which Browsers?

  - Mozilla Firefox 3.6.6

  - IE7

  - IE8

  - Opera 10.54

 3- We want to stop the browsers from working by using infinite loops and so on.

 Try it here: http://0me.me/demo/crowzers/irsdl/halt.html

 Which Browsers?

  - Mozilla Firefox 3.6.6: Halted with Mozilla Crash Reporter

  - IE7: Halted

  - IE8: Halted

  - Safari 5: Crashed on “javascriptcore.dll”

Good luck!

Cross Site URL Hijacking by using Error Object in Mozilla Firefox

In this paper, I want to represent a method for performing Cross Site URL Hijacking (which we can call XSUH) by using the error object of Mozilla Firefox. XSUH attack is used to steal another website URL. This URL can show the client’s situation on that website, and it can contain confidential parameters such as session ID as well. There is another useful article with a similar purpose but with a different approach which is “XSHM” article of CHECKMARX , and reading this article is highly recommended to you as well.
As you might know, scripts error handling in Mozilla Firefox is quite useful for the developers as it can show the exact source of an error with some useful information. Now, this functionality can be misused to divulge the destination URL after the redirections (XSUH attack) which can lead to condition leakage or stealing some important parameters from the URL.

Download From Here: http://soroush.secproject.com/downloadable/XSUH_FF_1.pdf
Or Here: http://0me.me/demo/XSUH/XSUH_FF_1.pdf

Proof of Concept: http://0me.me/demo/XSUH/XSUH_demo_firefox_all_in_1.html

Note:  This technique has been tested on Mozilla Firefox 3.6.3, 3.5.9, 3.6.4build5 (26th May 2010).

New Method: Role of the “/” character in mapping the website directories! – Webservers fault?

One of the first steps of a black-box penetration testing of a website is mapping its files and directories.  And in order to do that, security scanners crawl into the website first, and then try to guess the possible directories and files. These scanners use the response header or body of the page to investigate a valid file or directory. For instance, the header status “404” can be the sign of “File Not Found” and “200” can be the sign of a valid file. Also, the status “403 Forbidden” can be the sign of a valid directory without any index page. However, many websites such as Yahoo, Google, Facebook, Microsoft, and so on do not like to show the “403 Forbidden” errors for a valid directory, and instead, they show a “Page Not found” or another default page to the users. Although this functionality makes the website more user-friendly, it is not good for the scanners at all; as there is no difference between a valid and an invalid directory then.

Therefore, we need something else as a signature to improve the scanners result. And as a solution we can use a “/” as an identifier. In case of requesting a valid directory without adding a slash at the end of it, the web-server will add an slash automatically, and in case of having an invalid directory there will not be any slash at the end of the directory name.

Some examples:

Invalid Directory: http://www.microsoft.com/foobars

Valid Directory: http://www.microsoft.com/test

——–

Invalid Directory: http://code.google.com/foobars

Valid Directory: http://code.google.com/js

——–

Invalid Directory: http://www.facebook.com/foobars

Valid Directory: http://www.facebook.com/admin

——–

Invalid Directory: http://uk.yahoo.com/foobars

Valid Directory: http://uk.yahoo.com/private

——–

Cheers,

Soroush Dalili

IE7-8 drive list enumeration!

Iframe delay in loading the local drives in IE7 and IE8 can cause drive list enumeration!
Proof of Concept is available from this link:
http://plaincipher.com/demo/IE-Drive-Enum-Demo.html

Cheers,
Soroush Dalili

The Web Application Security Consortium Threat Classification v2.0

After OWASP updated its Top 10, now I’m very glad to quote this:

The Web Application Security Consortium (WASC) is pleased to announce the long awaited release of the WASC Threat Classification v2.0.

You can read more information from these links: http://projects.webappsec.org/Threat-Classification and http://projects.webappsec.org/f/WASC-TC-v2_0.pdf

Cheers,

Soroush

Microsoft Contradiction

First of all, Microsoft is one of the best companies which leads us to the better world. But, nothing is free of fault except God!

I’m writing this post as a response to the Microsoft security response in: “http://blogs.technet.com/msrc/archive/2009/12/29/results-of-investigation-into-holiday-iis-claim.aspx”.

They said that “We’ve completed our investigation into the claims that came up over the holiday of a possible vulnerability in IIS and found that there is no vulnerability in IIS.”. Therefore, I realized that this is not a Microsoft IIS hole. So, it should be a feature of IIS 6.0! In my opinion it’s a good feature for the attackers to bypass the web uploaders protection. Now my question is: why have they removed this feature from IIS version 7 and 7.5 then? And why are the others so concerned about this feature and some people added it to their exploits collection?

I think it’s not even a critical bug for IIS, but it is highly critical for most of the web applications.

Besides, Microsoft is so wrong about the default configurations since they said “customers who are using IIS 6.0 in the default don’t need to worry about this issue”.  I think they should look at the shared servers default configurations as well as the dedicated ones.

Finally, I think Microsoft should fix this feature as soon as possible to eliminate its risks! And, it is up to the web security researchers and the web penetration testers to decide about the impact of this vulnerability on the web applications.

PS:

You can also look at these links:

-          http://www.darknet.org.uk/2009/12/microsoft-iis-semicolon-bug-leaves-servers-vulnerable/

-          http://www.esecurityplanet.com/trends/article.php/3855936/article.htm

-          http://www.securityfocus.com/bid/37460/references

Browsers’ Pain: A recursive function!

I have written a recursive function by using Javascript “setInterval” function which calls itself. Unfortunately, none of the last version of famous browsers such as Internet Explorer (8), Chrome (3.0.195.38), and Mozilla Firefox (3.5.6) blocks this script. Moreover, it takes more than 50% of my CPU which is Intel Core 2 Dou 2.50 GHz.
And the worst one is Mozilla Firefox which stops working after running this script instead of showing a page to stop the script.
This script is:

<script>
function recursiveFunc(){setInterval(“recursiveFunc()”,1);}
recursiveFunc();
</script>

Just save it as an HTML file, and try to open it with your browsers. You can convert “1” to “0” to get better result in Mozilla Firefox and Chrome.
I reported it to Mozilla Firefox as a bug.
Good luck.