Thursday, November 23, 2017

Cyber Updates - 23rd November 2017

Final Release of the new OWASP Top 10

The final version of the OWASP Top 10 2017 has now been released. Following a controversial RC1 release, the project underwent a significant overhaul in the past six months including a change of leadership and a move to a fully transparent methodology based on data received and community feedback. The final release removes CSRF and Unvalidated Redirects, merges two previous categories into Broken Access Control and introduces three new categories, XML External Entities, "Insecure Deserialization" and Insufficient Logging and Monitoring.

Key takeaways:

  • Many different standards and frameworks reference the OWASP Top 10 or require companies to demonstrate that they are addressing the risks which it includes. It is important that application security teams understand the new risks which have been added including how to test for them and how to develop applications which are protected against them.
  • It is also important to remember that this is just a condensed list and that a full application security program needs to consider the full spectrum of potential application security issues.


Uber Reveals Data Breach of 57 million records

Bloomberg broke a story this week that in 2016 Uber had paid hackers to delete and not disclose 57 million records which had been stolen in a data breach. The data included names, email addresses and phone numbers for 50m Uber users and data on 7m drivers including US driving licence details. Uber themselves claim that they had a legal obligation to disclose but did not.

Key takeaways:

  • One of the key concerns in this case is that Uber did not disclose when they were legally (and ethically) obligated to do so. These should be key considerations when a data breach is discovered.
  • Another key concern is that Uber effectively paid a "ransom" to the hackers despite potentially having no way of verifying that the data had been deleted and would not be used. As well as potentially also being illegal, this is generally a poor approach to dealing with a situation of this kind.

Serious Intel CPU Vulnerabilities Disclosed

Following some speculation and based on findings from external researchers, Intel released a security advisory detailing significant security vulnerabilities in a number of its CPUs used in desktops, servers and "Internet of Things" devices. The vulnerabilities could allow an attacker to remotely take control of affected machines and access privileged data. This is particularly serious because the vulnerability is in the CPU itself and is therefore completely separate to the main PC operating system.

Key takeaways:

  • IT organisations should start reviewing their IT assets for this vulnerability and work with the relevant system manufacturer (e.g. Dell, Lenovo, HP, etc) to receive and apply updated firmware.
  • Defense in depth measures such as network segmentation and endpoint isolation should always be in place to mitigate the effect of a vulnerability of this sort.

From XSS to RCE, Hidden uses of JavaScript 

We are starting to see applications written using "Electron", a technology which utilises node.js to allow writing desktop applications as if they were web applications (HTML, CSS and JavaScript). A Swiss security researcher published an article detailing how he found a Cross-site Scripting (CSS) vulnerability in Github's atom text editor and was able to escalate this to Remote Code Execution due to the use of Electron.

Key takeaways:

  • Application developers should fully understand the implications of adopting new technologies and frameworks.
  • Less mature frameworks will have less available security information and therefore careful security testing should be performed before deployment.

Josh Grossman
Senior Information Security Consultant and Team Leader
joshg@comsecglobal.com

Monday, November 20, 2017

About (Weird) CORS Exploitations

During our daily routine, we face lots of different kinds of web applications, which are built differently from one another. Sometimes the developers have the need to pass information from one subdomain to another, or generally between different domains. This need might be for rendering purposes or for crucial functionality such as passing access tokens and session identifiers to another cooperative application.

As you may know, the browsers do not allow AJAX requests to be sent from one domain (or subdomain) to another for security reasons, the security policy is called Same Origin Policy (SOP).

So in order to allow cross-domain communication, the developers had to use different “hacks” to bypass SOP and pass this allegedly “sensitive information”, until Cross-Origin Resource Sharing (CORS) came in to the picture and changed the whole game.

This article sums up an extreme case of CORS misconfiguration that led me to exploit the application’s vulnerable configuration a little bit differently from what I expected.

Chapter A - The (OLD) problem:
The most common method was the use of JSONP, which will be discussed later in this article, and some JavaScript tricks such as using DOM-based objects to store information in them.

JSONP works with specific server endpoints, and retrieves user-related information from them using the user’s session, and a callback that needs to be handled on the client side. Every callback should be wrapped with a padding function (therefore, the P for JSONP). For example:

Victim application runs on domain-A, and publishes a server endpoint called “getUsers”. Note that the callback “users” also determines the name of the padding function:

The callback would be: users({“userA”:”John”,”userB”:”Smith”})

This scenario is extremely vulnerable, since domain-b.com only has to load this endpoint in his site and expect the victim to visit the site. When this happens, an HTTP GET request is sent to domain-a.com along with the victim’s cookie (similar to classic CSRF), and the callback is then returned to domain-b to handle. For example:

function users(json) {
callbackStealer(json.userA);
 }

More information about JSONP can be found over here: https://www.sitepoint.com/jsonp-examples/

Additionally, JavaScript tricks that were used by developers could also leave the site extremely vulnerable to DOM-based XSS attacks. For example:
domain-a might use window.name object to store information, and redirect the tab to domain-b (window.location = "domain-b"). Eventually domain-b will eval() the information stored in window.name.

How can we exploit it? It’s simple:
Our attacking domain (domain-c) should store the XSS payload in window.name
<script> window.name = “some AJAX-based payload to perform a critical action in the targeted application”;
window.location = “http://domain-b.com”; // Remember? This domain should eval(window.name); by design

And since domain-b is executing the code which is stored in window.name, we were able to totally pwn the application, by using a third-party malicious site of our own.

But today, you won’t see this happens much. So you can just use this method to exploit an XSS you already found.

Chapter B - The (NEW) problem:
Later on, HTML5 technology brought a game changing feature called Cross-site Resource Sharing (CORS). This new policy allows the developers to determine which domains are allowed to communicate with their application’s domain, and therefore no hacks are needed – but education and security awareness are!

Frameworks that have the ability to use CORS, used to have an “out of the box configuration”, we'll see some examples below.

The 1st wave of CORS policy taught the browser how to behave and allow two-way interaction between domains & subdomains. This policy tells the browser (using HTTP headers in the server’s response) if he can or cannot interact with the current domain from a different domain.

Some frameworks work with a default configuration that actually takes the origin of the request and automatically allows it by sending the origin back in the response headers. For example:

Request (note the origin was changed to evil.com):


Response:



So much for CORS huh..?
Note that Allow-Credentials: true allows XMLHTTPRequests (XHRs) to send the victim’s cookie from ANY domain. That’s a JavaScript-based CSRF, which is far more "smarter" than the HTML-based version.

But people learned… And hardened their CORS policy. Plus, modern browsers don't even send the HTTP request before it gets an answer for the pre-flight request which looks like this:




In my extreme case, every server endpoint was hardened with a secured CORS policy and didn’t allow any domain to interact with it… Meaning, it wouldn't show the response to the browser which executed the JS code. example:






BUT (!) the pre-flight request was not secured (See example for such configuration in the above OPTIONS request). This means that the browser will allow us to send a request to the targeted domain but not read the response.

Therefore we cannot acquire additional information such as anti-CSRF tokens on nonce values, but we still have an upgraded CSRF that support different HTTP verbs and headers (depending on the response from the pre-flight request).

TIP: we can indicate whether someone executed our script or not by adding a call to our web listener. For example:

$.ajax({some_action_in_the_targeted_application}); new Image().src = "http://web.listener.com?q=somebody just fell in your trap!";

Simple AJAX for Proof of Concept, and you can possibly delete the admin account of the app, change his accounts settings … whatever.

In conclusion,
Remember to always test every endpoint, including the pre-flight request by changing the origin to an arbitrary domain, and ensure that the site is not vulnerable.

Good Luck !

Rotem Tsadok
Head of Offensive Security & Response Unit  

Tuesday, November 14, 2017

ComTech: Using Burp Suite to Discover Domains

Introduction

There are many reasons why you may want to use a brute-force method to discover web domains or sub-domains, for example reconnaissance or attack surface discovery.

Whilst Burp Suite can discover content in folders below a domain using a brute-force approach (see: here), it cannot use this approach to find domains.

Burp Intruder would be a possible tool for this (assuming you are looking for web sites) except that you have to specifically choose the target domain on the first tab so it cannot be chosen as a payload position which could then be brute-forced by Intruder. Once I realised this, I started thinking how I could use Burp's features to enable this. I have set out the solution below. Note that this assumes you are already familiar with how Burp Suite works and it will only work with Burp Suite Pro.


Invisible Proxying

The answer is to create an invisible proxy in Burp. Invisible proxy is a way in which Burp handles client applications which cannot be specifically configured to use a proxy. As explained here https://portswigger.net/burp/help/proxy_options_invisible, applications which can be configured to use a proxy will send a full URL to the proxy so that the proxy knows where to send the request on to. An application, which cannot be configured to use a proxy will just include the URL in the path but not the domain itself.

Invisible proxy mode effectively means that Burp will decide on the target location to send the request based on the host header in the HTTP request. Now, the host header can be selected as a payload position in intruder and we can therefore fuzz that.


Configuring Burp Suite


Setting up the proxy

The first thing I have to do is setup a new proxy listener in Burp. In this case I have it listening on port 443 although actually you could choose any available port. The important thing here is that I have selected the invisible proxy option.



Setting up Intruder

I have already sent a standard GET request to intruder. I now go to the target tab and for the target I choose localhost and the port where I have got my invisible proxy listening, in this case 443.


I can see the standard GET request which I sent in the Positions tab and I can now select the part of the domain in the host header which I want to attack, II have just chosen one payload position but obviously I could choose multiple positions if I wanted attempt multiple types. You could also add a port onto the host header and choose that as a payload if you wanted to attempt multiple port types.


The rest is the same as a standard Intruder attack, in my case I have chosen a character brute-force payload but you will probably want to use a predefined list of likely domains.


Executing the attack


Intruder will give you an error about the target and host header not matching but you can ignore that


Reviewing the results


You can now go through the intruder results to look at what was returned.


Interestingly, because you are looping back through Burp's proxy, you will also see the requests that were sent in the proxy history list.


I hope this little trick is useful. If you have any comments, critiques or suggestions, you can contact me using the details below.


Josh Grossman
Senior Information Security Consultant and Team Leader
joshg@comsecglobal.com

Sunday, September 17, 2017

ComTech: Do's and Don'ts in production environment pentest

Hello everyone
After a short break, ComTech is back.

Today's post will talk about something that is relevant to every pentest, the do's and the don'ts of pentesting a production environments.
Let's start:
  • Don't use or use a little as possible automated scanners.
    In application PT - use non, do all manual. In infrastructure PT - use only the most needed ones. The automated scanners that should be avoided include vulnerability scanners (Nessus, OpenVas in infra PT, Burp pro scanner, Acunetix in app PT).
  • Perform as much of the test manually.
  • Especially don't use any tools in OT environment (industrial control system, SCADA). These environments are especially sensitive, and a simple port scan might crash them altogether. 
  • If you do need to use tools in infra PT, make sure you mark the "safe checks" checkbox if exist (Nessus, OpenVas).
  • Don't use payloads that can cause any damange. This include innocent looking payloads such as the classic XSS and SQLI <script>alert('xss')</script> and ' or 1=1-- in app PT.
    The first might pop up a message in a production page in a persistent XSS, that would cause embarrassment to the client, and the second, if done in the wrong place, could delete all of the records in a table (if injected to a delete command), or issue a fetch command that would get all of the records and might bring the system down.
  • Always clean up after yourself, and do the best effort to delete any testing records and data, especially any data stored in a persistent storage (DB).
  • In infra PT (and also relevant to app PT) don't send a large input to a tested interface, as it might also cause the system to crash.
  • If money is involved, always ask the client for QA credit cards. Avoid using your own credit card in PTs. 
  • Don't change any configuration in an admin interface or CMS, unless explicitly permitted by the client.
  • Open and use your test emails to make sure you won't get spammed long after the test is over.
  • Don't do online login brute-force attack without permissions, as it might lockout production users.
  • If you are testing a hosted cloud-based system, always make sure you have the appropriate permissions to do so, and that the cloud provider is aware and approves it.
  • In spite of what is written above, always talk to the client and match expectations. There might be specific production environments that you could do the don'ts mentioned above.
Stay safe



Gil Cohen
CTO
 

Sunday, September 10, 2017

Cyber Updates - 10th September 2017

Welcome back to Cyber Updates, apologies for hiatus over the summer.

Cisco Meraki Cloud Data Loss

Cisco Meraki is a cloud based network management system. They recently experienced a loss of customer data which it appeared was not backed up and according to accounts from one customer a significant amount of manual work would be required to recreate the relevant data.

Key takeaways:

  • If you are reliant on cloud services, what happens when they are unavailable. If you have an SLA with a provider, do you offer the same SLA to your customers? Remember that you may receive compensation if SLA your provider violates the SLA but it is unlikely to be enough if the provider is business critical to you.
  • Even if you use a cloud service, some form of local or separated backup can be beneficial.

Chrome Extension Malware

The developer of a popular Chrome Extension called "Web Developer" was phished which allowed hackers access to his Google account. They used this to submit a malicious update to his extension which was then delivered to all extension users through the Chrome Extension updates mechanism. In this case it just seems to have been adware which was incorporated into the code but it could have been much more sinister.

Key takeaways:

  • Network admins should be monitoring which chrome extensions are installed and if necessary only allowing a whitelist of extensions.
  • Endpoints should always be considered at risk and monitored accordingly
  • Sensitive credentials should always be protected using Multi-factor Authentication

HTTP sites to be marked as insecure by Chrome in October

Starting in October, the Google Chrome browser will start marking HTTP sites with a red "Not secure" warning in the URL bar as a warning to users to not enter any sensitive information.

Key takeaways:

  • Any site which processes data or has login functionality should be communicating using HTTPS throughout.
  • This move should provide a marketing impetus for companies to push this ability to their sites.

HPKP considered harmful

Scott Helme, a UK based security consultant and lecturer, wrote a blog in which he declared that he had given up on the HTTP Public Key Pinning (HPKP) standard due to the difficulty in implementing it compared to the significant risks of getting it wrong. This caused quite a stir as he has been a strong supporter of secure web standards and his blog post makes for an interesting read into security tradeoffs.

Key takeaways:

  • Make sure you understand the complexity and risks of any new security standard.
  • This decision should be part of the cost benefit analysis of implementing a new security control.

Josh Grossman
Senior Information Security Consultant and Team Leader
joshg@comsecglobal.com

Thursday, August 3, 2017

Cyber Updates - 3rd August 2017

More Cryptocurrency Thefts

In the previous cyber update, we mentioned the theft of a $10m worth of Ethereum during the Coinbase ICO. Since that hack there have been (at least) 2 other serious cryptocurrency thefts. First, a vulnerability in a cryptocurrency wallet developed by Parity allowed attackers to steal $30m worth of Ethereum. Then, a few days later, another company in the middle of an Initial Coin Offering had $8.5m of their token stolen.

Key takeaways:

  • As we said previously, this is a continuing trend and should be addressed as a matter of urgency by companies in this space.

When your coffee machine infects you with ransomware

This story came from a reddit post so is not independently verified but sounds highly plausible. The author of this post effectively tells a story of how their company had Industrial Control Systems running an a separate, non-Internet connected network. They were therefore puzzled to discover that machines in this environment had been hit by ransomware. It turned out that a 3rd party supplier had installed a coffee machine which bridged the company's Internet connected and non-Internet networks so when it got infected, so did the machines in the non-connected network!

Key takeaways:


  • All networks should be monitored for unknown or unexpected devices.
  • On particularly sensitive networks, a new device should cause an alert and an investigation.
  • Any 3rd party working with the IT network should be under heavy supervision and escort.


Node.JS package typo squatting

Node.JS uses the npm package management tool to allow Node developers to make use of prebuilt libraries to perform particular functions or operations. A developer called Ivan Akulov wrote a blog post about how he discovered fake versions of popular packages which included code to send sensitive data such as API keys back to the malicious packages' developer.

Key takeaways:


  • Beware of your dependencies, make sure you are reviewing exactly which external libraries you are using.
  • Understand the importance of each dependency and how you would cope if it was suddenly removed.


OWASP Top 10 news

Following the controversy over RC1 of the OWASP Top 10 2017, OWASP published a blog post this week providing some updates from the new project leaders on the plans for the project. Anyone who is involved at all in Application Security would be advised to read the post in detail.

Key takeaways:


  • The most controversial addition, (A7 Insufficient Attack Protection) appears to have been rejected as it does not represent a vulnerability
  • AppSec professionals are being asked to provide data regarding vulnerabilities found in applications to help guide which vulnerabilities should be in the top 10.
  • AppSec professionals are also being asked to complete a future-looking survey about what newer vulnerabilities are on an upward trend and should therefore already be considered, even if they are currently less widespread.






Josh Grossman
Senior Information Security Consultant and Team Leader
joshg@comsecglobal.com

Monday, July 31, 2017

Defcon25 lecture: Call the plumber - you have a leak in your (named) pipe

Hello
Following my #defcon25 lecture in Las vegas, "Call the plumber - you have a leak in your (named) pipe" (https://www.defcon.org/html/defcon-25/dc-25-speakers.html#GCohen), here is the presentation file:
https://drive.google.com/open?id=0B3_AmubjewYTVERidTVGZW5uRnM

In addition, a similar presentation (minus some of the demos) was previously presented in the Hack in Paris 2017 conference, under the name "The forgoten interface: Windows named pipes", so it can be found here:
https://www.youtube.com/watch?v=m6zISgWPGGY&t=636s

Cheers :)



Gil Cohen
CTO
gilc@comsecglobal.com | www.comsecglobal.com