OWASP Moderated News Feed

Changes to our SSL Certificates

Jay — Thu, 23 May 2013 11:00:00 -0400

Posted by Stephen McHenry, Director of Information Security Engineering

Protecting the security and privacy of our users is one of our most important tasks at Google, which is why we utilize encryption on almost all connections made to Google.

This encryption needs to be updated at times to make it even stronger, so this year our SSL services will undergo a series of certificate upgrades—specifically, all of our SSL certificates will be upgraded to 2048-bit keys by the end of 2013. We will begin switching to the new 2048-bit certificates on August 1st, to ensure adequate time for a careful rollout before the end of the year. We’re also going to change the root certificate that signs all of our SSL certificates because it has a 1024-bit key.

Most client software won’t have any problems with either of these changes, but we know that some configurations will require some extra steps to avoid complications. This is more often true of client software embedded in devices such as certain types of phones, printers, set-top boxes, gaming consoles, and cameras.

For a smooth upgrade, client software that makes SSL connections to Google (e.g. HTTPS) must:

Perform normal validation of the certificate chain;
Include a properly extensive set of root certificates contained. We have an example set which should be sufficient for connecting to Google in our FAQ. (Note: the contents of this list may change over time, so clients should have a way to update themselves as changes occur);
Support Subject Alternative Names (SANs).

Also, clients should support the Server Name Indication (SNI) extension because clients may need to make an extra API call to set the hostname on an SSL connection. Any client unsure about SNI support can be tested against https://googlemail.com—this URL should only validate if you are sending SNI.

On the flip side, here are some examples of improper validation practices that could very well lead to the inability of client software to connect to Google using SSL after the upgrade:

Matching the leaf certificate exactly (e.g. by hashing it)
Matching any other certificate (e.g. Root or Intermediate signing certificate) exactly
Hard-coding the expected Root certificate, especially in firmware. This is sometimes done based on assumptions like the following:

The Root Certificate of our chain will not change on short notice.
Google will always use Thawte as its Root CA.
Google will always use Equifax as its Root CA.
Google will always use one of a small number of Root CAs.
The certificate will always contain exactly the expected hostname in the Common Name field and therefore clients do not need to worry about SANs.
The certificate will always contain exactly the expected hostname in a SAN and therefore clients don't need to worry about wildcards.

Any software that contains these improper validation practices should be changed. More detailed information can be found in this document, and you can also check out our FAQ if you have specific questions.

Dinis Cruz Blog: Sarah Baso as OWASP Executive director, how it ...

Dinis Cruz — Thu, 23 May 2013 07:22:00 -0400

A personal blog about: transforming Web Application Security into an 'Application Visibility' engine, the OWASP O2 Platform, TeamMentor, Application/Data interoperability and a lot more ...

Controlling The Risks Of Vulnerable Application Libraries - Dark Reading

(author unknown) — Wed, 22 May 2013 17:58:03 -0400

Controlling The Risks Of Vulnerable Application Libraries
Dark Reading
"What OWASP did is say we know you can't go find all those unknown vulnerabilities in all those libraries, but as a first step, for chrissake, please don't use libraries with known vulnerabilities," he says. "So if there's a CVE somewhere identified ...

Press exposure of Federal data security hole leads to legal threats

Iain Thomson — Wed, 22 May 2013 16:37:34 -0400

Hacks accused of hacking, are researchers next?

An investigation into a security slip that left the identity information for over 170,000 users of a US federal government program publicly available online has led to accusations of hacking and legal threats.…

Planning on attending Black Hat USA this year? Are you a member of OWASP?

Kelly Santalucia — Wed, 22 May 2013 15:13:00 -0400

If you answered "yes" to both of these questions and would like to save 15% off on your registration fee please use discount code KobrLQ55.

"The Global Cyber Game"

schneier — Wed, 22 May 2013 13:05:54 -0400

This 127-page report was just published by the UK Defence Academy. I have not read it yet, but it looks really interesting.

Executive Summary: This report presents a systematic way of thinking about cyberpower and its use by a variety of global players. The urgency of addressing cyberpower in this way is a consequence of the very high value of the Internet and the hazards of its current militarization.
Cyberpower and cyber security are conceptualized as a 'Global Game' with a novel 'Cyber Gameboard' consisting of a nine-cell grid. The horizontal direction on the grid is divided into three columns representing aspects of information (i.e. cyber): connection, computation and cognition. The vertical direction on the grid is divided into three rows representing types of power: coercion, co-option, and cooperation. The nine cells of the grid represent all the possible combinations of power and information, that is, forms of cyberpower.

The Cyber Gameboard itself is also an abstract representation of the surface of cyberspace, or C-space as defined in this report. C-space is understood as a networked medium capable of conveying various combinations of power and information to produce effects in physical or 'flow space,' referred to as F-space in this report. Game play is understood as the projection via C-space of a cyberpower capability existing in any one cell of the gameboard to produce an effect in F-space vis-a-vis another player in any other cell of the gameboard. By default, the Cyber Game is played either actively or passively by all those using network connected computers. The players include states, businesses, NGOs, individuals, non-state political groups, and organized crime, among others. Each player is seen as having a certain level of cyberpower when its capability in each cell is summed across the whole board. In general states have the most cyberpower.

The possible future path of the game is depicted by two scenarios, N-topia and N-crash. These are the stakes for which the Cyber Game is played. N-topia represents the upside potential of the game, in which the full value of a globally connected knowledge society is realized. N-crash represents the downside potential, in which militarization and fragmentation of the Internet cause its value to be substantially destroyed. Which scenario eventuates will be determined largely by the overall pattern of play of the Cyber Game.

States have a high level of responsibility for determining the outcome. The current pattern of play is beginning to resemble traditional state-on-state geopolitical conflict. This puts the civil Internet at risk, and civilian cyber players are already getting caught in the crossfire. As long as the civil Internet remains undefended and easily permeable to cyber attack it will be hard to achieve the N-topia scenario.

Defending the civil Internet in depth, and hardening it by re-architecting will allow its full social and economic value to be realized but will restrict the potential for espionage and surveillance by states. This trade-off is net positive and in accordance with the espoused values of Western-style democracies. It does however call for leadership based on enlightened self-interest by state players.

DDOS as Civil Disobedience

schneier — Wed, 22 May 2013 07:24:45 -0400

For a while now, I have been thinking about what civil disobedience looks like in the Internet Age. Certainly DDOS attacks, and politically motivated hacking in general, is a part of that. This is one of the reasons I found Molly Sauter's recent thesis, "Distributed Denial of Service Actions and the Challenge of Civil Disobedience on the Internet," so interesting:

Abstract: This thesis examines the history, development, theory, and practice of distributed denial of service actions as a tactic of political activism. DDOS actions have been used in online political activism since the early 1990s, though the tactic has recently attracted significant public attention with the actions of Anonymous and Operation Payback in December 2010. Guiding this work is the overarching question of how civil disobedience and disruptive activism can be practiced in the current online space. The internet acts as a vital arena of communication, self expression, and interpersonal organizing. When there is a message to convey, words to get out, people to organize, many will turn to the internet as the zone of that activity. Online, people sign petitions, investigate stories and rumors, amplify links and videos, donate money, and show their support for causes in a variety of ways. But as familiar and widely accepted activist tools -- petitions, fundraisers, mass letter-writing, call-in campaigns and others -- find equivalent practices in the online space, is there also room for the tactics of disruption and civil disobedience that are equally familiar from the realm of street marches, occupations, and sit-ins? This thesis grounds activist DDOS historically, focusing on early deployments of the tactic as well as modern instances to trace its development over time, both in theory and in practice. Through that examination, as well as tool design and development, participant identity, and state and corporate responses, this thesis presents an account of the development and current state of activist DDOS actions. It ends by presenting an analytical framework for the analysis of activist DDOS actions.

One of the problems with the legal system is that it doesn't make any differentiation between civil disobedience and "normal" criminal activity on the Internet, though it does in the real world.

JSR 356, Java API for WebSocket

jv59641 — Wed, 22 May 2013 02:29:09 -0400

For many Web-based client-server applications, the old HTTP request-response model has its limitations. Information has to be transmitted from the server to the client in between requests, rather than upon request only. A number of "hacks" have been used in the past to circumvent this problem, for example, long polling and Comet. However, the need for a standards-based, bidirectional and...

OWASP Connector May 21, 2013

Kate Hartmann — Tue, 21 May 2013 20:26:00 -0400

OWASP Connector May 21, 2013

MAY FEATURED OWASP PROJECT

OWASP Mobile Security Project

The OWASP Mobile Security Project is a centralized resource intended to give developers and security teams the resources they need to build and maintain secure mobile applications. The primary goal of this project is to classify mobile security risks, and provide developmental controls to reduce their impact our likelihood of exploitation.

The primary focus is at the application layer. While consideration is taken into the underlying mobile platform and carrier inherent risks when threat modeling and building controls, we are targeting the areas where the average developer can make a difference. Additionally, focus is placed not only on the mobile applications deployed to end user devices, but also on the broader server-side infrastructure which the mobile apps communicate with. Focus is heavily aimed towards the integration between the mobile application, remote authentication services, and cloud platform-specific features.

NEW OWASP PROJECTS

OWASP Good Component Practices Project
Project Leader: Mark Miller

Good Component Practice is one of the most overlooked silver bullets in the Open Source arsenal. Due to business pressure, we have found that companies are willing to risk using unverified open source components, trading off security for enhanced speed in development.

This project will use community input to document an industry acceptable process for the creation, maintenance, and use of open source components.

OWASP Bywaf Project
Project Leader: Rafael Gil Larios

The aim of this project is to develop an application that makes the work of an auditor much easier when conducting a Pen Test. The application's principal functions are to detect, evade, and give a vulnerability result utilizing known SQL injection, and other methods developed by professionals within the industry.

PROJECT ANNOUNCEMENTS

2013 Mobile Top 10 Call For Data

We are pleased to announce the 2013 call for data to help refresh the Mobile Top 10 Risks for 2013 and publish a more formal document. We are encouraging everyone to get involved. Right now we are looking for data that represents the current state of mobile application security. We are soliciting not just vulnerability data, but also incident and attack data that reflects the real-world prevalence and significance of these issues. The goal in requiring both is to rank risks accordingly based on data as opposed to making assumptions. We will use this data to flesh out and re-evaluate the currently incomplete Mobile Top Ten Project.

If you would like to et involved, please visit the OWASP Mobile Security Project wiki page. Please direct any questions or concerns to the Top 10 Refresh leaders, Jason Haddix, Jack Mannino, and Mike Zusman.

Do you want to host an event or propose OWASP involvement in an outreach event? Submit your event through the OWASP Conference Management System (OCMS)

Thank you to MStar Semiconductor, Inc, our newest Corporate Member

Thank you to AsTech Consulting for their Corporate Membership Renewal

GET READY FOR THE 2013 SUMMER

Cool Prizes
New Membership Levels
Become a LIFETIME Member
Click the icon for all the details

Apply for an Honorary Membership

Get the Details and the Link to the form

AppSec Research 2013

4th COUNTDOWN CHALLENGE RELEASED

There will be a challenge posted on the conference wiki page every month up until the event in August. The winner of each challenge will get FREE entrance to the conference (a €420 value). Be sure to sign up for the conference mailing list to get a monthly reminder.
CLICK HERE to access this challenge
Complete instructions on this challenge

OWASP is pleased to announce our upcoming Partner Events:

ICCS 2013 James R. Clapper, the Director of National Intelligence, will be the opening keynote speaker for the conference.

Blackhat 2013 (15% discount promo code for OWASP members is: KobrLQ44 - case sensitive)

EC Council - Use discount code TDCSTLOWASP for $99 conference passes

OWASP Foundation

www.owasp.org

Contact Us

OWASP Blog

Do you have some news? Submit your item to appear in the next connector HERE

MAY 23 GLOBAL WEBINARS SCHEDULED

TOPIC: Unraveling the mysteries of the OWASP WIKI

Have you ever wondered how to find something on the wiki? Where are the projects? How do i volunteer? How, and more importantly - Why, do I become a Member? Join us for this webinar where the Ops team will walk through some of they mysterious links on the OWASP.org website.

May 23, 2013 at 10am EDT

May 23, 2013 at 9pm EDT
(GMT -5)

Links to the recordings of previous meetings can be found on the Initiatives Page

To review All of the opportunities, Visit the Initiaives page

OWASP Global Board Elections

The call for candidates is OPEN!

2013 WASPY (Web Application Security People of the Year) Awards

It's time to submit your nominations for the 2013 WASPY (Web Application Security People of the Year) Awards!
This year's awards will recognize our community's best in 5 different OWASP related category:

Best Chapter Leader

Best Project Leader

Best community supporter - contributor to chapter, project or initiative

Best Mission Outreach - grow the OWASP community

Best Innovator - willingness to try new ideas

NOMINATIONS ARE OPEN
CLICK HERE TO ACCESS THE FORM!

OWASP would like to thank
for stepping up to be a Platinum Sponsor for these awards in 2013! Additional sponsorship opportunities are available Here

Kate Hartmann

kate.hartmann@owasp.org

+1 301-275-9403

The true root causes of software security failures - Computerworld (blog)

(author unknown) — Tue, 21 May 2013 16:45:48 -0400

The true root causes of software security failures
Computerworld (blog)
When you focus only on building functionality and not preventing unspecified functionality, you don't anticipate potential attacks, and you end up with the OWASP Top-10 and other lists like it. This is my message: Building functionality is ...

and more »

OWASP EU Tour 2013 in London on June 3rd

(author unknown) — Tue, 21 May 2013 14:59:00 -0400

As part of the OWASP EU Tour 2013, there will be a special event in London next month, along the lines of the recent ones in Cambridge and Leicester.

The one day conference is being held in central London on Monday 3rd of June 2013 at the Lion Court Conference Centre, 25 Procter Street, Holborn, London, WC1V 6NY. The nearest tube station is Holborn. It is free to attend and is open to all, but registration is required as numbers are limited to 100.

The agenda is still being finalised, but OWASP Ireland chapter leader Fabio Cerullo is presenting PCIDSS for developers, OWASP Cambridge chapter leader Steven van der Baan will be talking about simple steps for secure coding, and OWASP London chapter leader Justin Clarke will be speaking about securing development with PMD, the popular Java code scanning tool. I will be introducing and demonstrating OWASP Cornucopia. A very developer-orientated agenda so far.

The EU Tour continues to OWASP chapters in Barcelona, Bucharest, Belgium, Denmark, Dublin, Lisbon, Netherlands and Rome. Other locations will be added in due course.

OWASP EU Tour 2013 in London on June 3rd

Clerkendweller

2013 OWASP Mobile Top 10 Call For Data

Jim Manico — Tue, 21 May 2013 02:11:00 -0400

Hello All,

We are pleased to announce the 2013 call for data to help refresh the Mobile Top 10 Risks for 2013 and publish a more formal publication. We are encouraging everyone to get involved.

The current Mobile Top Ten Risks are located here:

https://www.owasp.org/index.php/OWASP_Mobile_Security_Project#tab.3DTop_Ten_Mobile_Risks

What do we need?

Right now we are looking for data that represents the current state of mobile application security. We are soliciting not just vulnerability data, but also incident and attack data that reflects the real-world prevalence and significance of these issues. The goal in requiring both is to rank risks accordingly based on data as opposed to making assumptions. We will use this data to flesh out and re-evaluate the currently incomplete Mobile Top Ten Project.

How can you contribute?

Contributing data is easy. All we require is anonymized statistics on the vulnerabilities you’ve seen in 2012-Present. If you have data on real-world incidents and attacks to share, these will be of great value as well as they will allow real-world impact to be better assessed. This can be just aggregate percentages, no need to tell us how many apps you’re doing if you’re not comfortable with that. Something like the below:

Issue: Something related to geolocation
Percentage Affected: X%
Number Affected: Y (only if you are comfortable with this)
Brief Description: This is a problem because xyz and also, bad things.

The data you submit does not necessarily have to reflect the current Top 10, it has to reflect what you are observing in the applications you analyze. At the same time, we would certainly love feedback on what you believe is correct or incorrect about the current list.

What happens next?

After a 60 day period we will review all submissions and re-draft the Mobile Top Ten based on the prevalence and impact of data provided by participants. After the submission period ends, there will be follow-on discussions and work to analyze the data. Participation in this initiative may require up to 10 hours of efforts per week, so please take this into consideration before signing up.

Spread the word. Make a difference.

Also, any help spreading the word on the Mobile Security Project is immensely helpful. A Tweet/Facebook/Linkedin post, blog entry, etc. This initiative will fail if people don't know about it. Anyone that you can promote this initiative to will help the cause.

We thank all of you in advance for your participation and hard work in making this initiative a success. Your participation will be noted and recorded when compiling the list of contributors for the final release of the Mobile Top 10 Risks documentation.

Get in touch and get involved.

Please direct any questions or concerns to the Top 10 Refresh leaders, Jason Haddix (jason.haddix@owasp.org), Jack Mannino (jack.mannino@owasp.org), and Mike Zusman (mike.zusman@owasp.org).

We will be using a Google Group to collaborate on the Top 10 refresh: https://groups.google.com/a/owasp.org/forum/?hl=en&fromgroups#!forum/owasp-mobile-top-10-risks

The OWASP Mobile Security project’s mailing list is also another way to get in touch with other contributors (owasp-mobile-security-project@lists.owasp.org).

Remote Code Injection Vulnerabilities Discovered in iOS Apps

Chris Brook — Mon, 20 May 2013 16:39:08 -0400

Multiple vulnerabilities have been discovered in both File Lite and File Pro, two file management applications created by Perception Systems for iOS, currently available on Apple’s App Store.

Researchers at Vulnerability Laboratory found the bugs on the latest builds of File Lite and File Pro – released on May 17 and May 14 respectively.

Both apps afford attackers the ability to upload files to another user’s account without their permission, while two others allow code injection in the user’s browser while they view a file listing, according to AOL’s Apple blog TUAW, which wrote about the issues today.

Both of the vulnerabilities rely on the user browsing files on the device via its WiFi setting, so anyone who uses the apps may want avoid doing that until the company issues another fix.

Email requests for comment sent to Perception Systems were not immediately returned on Monday, yet the version update history for the applications in question are patched every several months.

OWASP's 2013 Web Vulnerabilities List Will Shuffle the Top Ten

Jonathan Lampe — Mon, 20 May 2013 08:10:16 -0400

The OWASP Top 10 list publicizes the most critical web application security flaws as determined by Open Web Application Security Project (OWASP), a nonprofit, vendor-independent IT security organization formed in 2001.

Your login form posts to HTTPS, but you blew it when you loaded it over HTTP

Troy Hunt — Mon, 20 May 2013 07:46:00 -0400

Here’s an often held conversation between concerned website user and site owner:

User: “Hey mate, your website isn’t using SSL when I enter my password, what gives?!”

Owner: “Ah, but it posts to HTTPS so your password is secure! We take security seriously. Our measures are robust.” (and other random, unquantifiable claims)

Loading login forms over HTTP renders any downstream transport layer security almost entirely useless. Rather than just tell you what’s wrong with this, let me show precisely why this is with a site that implements this pattern:

How’s that for simple?! What people forget about SSL is that it’s not about encryption. Well that’s one feature of secure sockets, another really essential one is integrity insofar as it gives us confidence that the website content hasn’t been manipulated. Anything you load over an HTTP connection can be easily changed by a man in the middle which is why it’s absolutely essential to load those login forms over a secure connection. OWASP is very specific about this in part 9 of their Top 10 web application security risks and summarise it well in the transport layer protection cheat sheet:

The initial login page, referred to as the "login landing page", must be served over TLS. Failure to utilize TLS for the login landing page allows an attacker to modify the login form action, causing the user's credentials to be posted to an arbitrary location.

It’s not just Woolworths doing this, in fact it’s extremely common and you’ll see it on GoDaddy:

On Pandora:

And even on the Financial Times:

I’m calling out these simply because they’re high-profile sites yet they all load the login forms over HTTP and post to HTTPS. Why aren’t they implementing SSL correctly? Most likely convenience; customers can login direct from the homepage and they can have it delivered over HTTP. Mind you Pandora links off to a login page so why they couldn’t just serve that securely to begin with is a bit of a mystery.

So how should it be done? Load the login form over HTTPS, either by linking to a dedicated login page or popping it up in a separate window (although there’s a UX argument against this). Even better, just load the whole site over HTTPS! Yes, there are some barriers to HTTPS across the board (managing certs in web farms, dependencies on assets from third parties, impact on CDNs, etc) but it sure solves the login form issue. Check out Netflix’s approach – straight into HTTPS, job done!

The other issue with the examples above is that potential manipulation of the content aside, missing HTTPS on the login form leads to exactly the discussion this post opened with – users not believing their credentials are protected. All the messaging we’ve been delivering to website users since the early days of the web about checking for the padlock in the browser address bar goes down the drain because it’s simply not there! There’s no assurance that their credentials will be protected and it’s a real shame to dilute such an important security message.

As for how the exploit in the video works, it’s just a simple Fiddler script to inject the keylogger before the body tag closes off. The keylogger itself is over on Google Code, the only code I wrote to incorporate it was the script tags you saw at the end of the video and the “Hack Yourself” website which receives the logged keys. It really is that simple.

Whilst Fiddler is good for demonstration purposes, clearly an actual weaponised attack would work differently but the principle is the same: When unencrypted traffic passes through a node on the network – NIC, ethernet cable, router, proxy, ISP, etc. – it may be observed or manipulated by an attacker. This isn’t theoretical, there are many precedents such as the Tunisian government harvesting Facebook credentials en mass.

This is all a bit odd really, I mean these sites have gone to the effort of implementing some SSL but then blown it by loading those login forms over HTTP. As we saw with Woolworths, posting over a secure connection is completely useless if there’s no integrity in the login form itself, an attacker may already have the credentials by then if the connection is compromised which is the very risk they all implemented SSL to protect from in the first place!

Cornucopia Ecommerce Website Edition v1.00

(author unknown) — Sat, 18 May 2013 14:30:00 -0400

Cornucopia Ecommerce Website Edition v1.00 was uploaded to the OWASP website in February and has now been upgraded to a full OWASP project.

Today, I have completed the new OWASP Cornucopia Project pages which include:

Description and objectives
Presentation given at OWASP Netherlands in March
Links to all the references files, including a new security coding practice requirement identities, created last week
Instructions on how to play
Frequently asked questions
Acknowledgements
Road map and how to get involved
Link to the PCISSC information supplement for PCIDSS referencing Cornucopia

Please let me know if you think I can add anything of use to the project pages.

I am also working on some minor updates to the ecommerce website edition's documentation and deck. I will be presenting the project at an event in London shortly.

Cornucopia Ecommerce Website Edition v1.00

Clerkendweller

Big Data Ends the Era of Hunches

taylorcat — Fri, 17 May 2013 11:40:00 -0400

I made great money in college recruiting people for focus groups. Those were tough days for students in a state (New York) where the minimum wage was only $3.35 an hour. Instead, I was making $25 an hour working in a phone bank that called and convinced specific demographic groups to spend a few hours at a marketing company as part of a focus group.I could recruit 30-year-old stay at home moms or...

Microsoft: Invulnerable software is not possible - InfoWorld

(author unknown) — Thu, 16 May 2013 16:08:45 -0400

Microsoft: Invulnerable software is not possible
InfoWorld
Get the first word on what the important tech news really means with the InfoWorld Tech Watch blog. For the latest developments in business technology news, follow InfoWorld.com on Twitter. Tags: Application Security, Vulnerability Assessment ...

and more »

DOM Clobbering

Gareth Heyes — Thu, 16 May 2013 06:00:05 -0400

The DOM is a mess. In an effort to support legacy quick short cuts such as “form.name” etc the browsers have created a Frankenstein monster. This is well known of course but I just wonder how far the rabbit hole goes. I’m gonna share what I discovered over the years.

HTML Collections

First up is my favourite “HTML Collections”, when html elements are combined into groups they become a collection. You can actually force a collection by giving an element the same name. Such as:

<input id=x><input id=x><script>alert(x)</script>

On IE “x” alerts “Object HTML Collection”. What’s interesting is there are two ways of doing this, via name and via id, because it’s an array like structure you can reference each element by the order they appear in the collection e.g. collection[0] is the first element. We can use this functionality to “clobber” variables into window to create some interesting stuff. An example of this:

<a href="invalid:1" id=x name=y>test</a>
<a href="invalid:2" id=x name=y>test</a>
<script>alert(x.y[0])</script>

What is especially odd is that a collection constructed like this can refer to itself forever, for example:

<script>
alert(x.y.x.y.x.y[0]);
alert(x.x.x.x.x.x.x.x.x.y.x.y.x.y[0]);
</script>

When the elements become a collection this of course removes the normal properties/methods on the HTML element if it was being referenced by name.

<a href=1 name=x>test</a>
<a href=1 name=x>test</a>
<script>
alert(x.removeChild)//undefined
alert(x.parentNode)//undefined
</script>

You can see how that could cause problems

Variable assignments cause anchor href modifications

This is a very old bug probably a few years old now, it was rediscovered by @gsnedders. On IE a global variable with the same name as an anchor element caused modification of that anchors href. For example

<a href="123" id=x>test</a>
<script>
x='javascript:alert(1)'//only in compat!
;</script>

If you have an anchor named “x” and an assignment with the same name then even if it is fully encoded you can still inject XSS by modifying the anchor directly.

Framebusters busted

Lastly on my trip down memory lane I have another interesting bug that was again found many moons ago. You might be familiar with code similar to this:

<script>
if(top!=self){
 top.location=self.location
}
</script>

It’s checking if the top most window is the same as the current window (usually to prevent a page being framed). If we can clobber a form before the check then we can fool the logic into thinking that self is a form and “self.location” is an attribute on that form like this:

<form name=self location="javascript:alert(1)"></form>
<script>
if(top!=self){
 top.location=self.location
}
</script>

Which fires the alert! But there’s more, since an attribute is decoded when it’s accessed we can encode the colon of course but because on IE when the assignment occurs it’s also decoded we can now double encode! Which means this is perfectly valid too:

<form name=self location="javascript&amp;#58;alert(1)"></form>
<script>
if(top!=self){
 top.location=self.location
}
</script>

In conclusion the DOM is a mess.

2013 Board Election Call For Candidates & Honorary Membership

Kelly Santalucia — Wed, 15 May 2013 11:59:00 -0400

On behalf of the OWASP Foundation, I am happy to announce the 2013 OWASP Foundation Call for Board Candidates. This year there are three board seats open for election. We are now accepting Call for Candidates and Honorary Membership requests.

Individuals that are interested in running for the board are strongly encourage to read the International Board of Directors Primary Responsibilities as well as the Eligibility Requirements for Board Candidates before submitting your Candidate Submission form. All candidates interested in running must be declared by August 16.

Honorary Membership is available for active project and active chapter leaders with their leadership positions on file prior to September 30. **ALL qualified individuals who wish to be granted Honorary Membership MUST apply for Honorary Membership in order to vote in this years election.** Deadline to submit your self nomination form for Honorary Membership is September 30.

For more information on this years Board Election including the Election Timeline, Call for Candidates form and the Honorary Membership form please see http://owasp.com/index.php/2013_Board_Elections.

Automating Test Cases

yboily — Wed, 26 Oct 2011 22:34:19 -0400

Earlier this year I wrote about some of the challenges of scaling security efforts in an organization, and I mentioned that we are working to adopt better tooling to assist us in this. We have been working towards improving security in the development lifecycle by making security tests a part of the quality assurance process. In order to accomplish this we worked with the QA team at Mozilla to create a simple tool called Garmr to integrate automated security test cases as part of our continuous integration (CI) processes.

When we started the discussion about which tools to use, our requirements were pretty straightforward; it needed to be fast, simple, and accurate. When we looked at Selenium and Mozmill the feedback we got from other teams is that although powerful, these frameworks were complex to configure properly, and had significant overhead to maintain as a project progresses. Since the focus was on testing web applications in a repeatable fashion, we identified a set of required functionality and David Burns from the very awesome Mozilla QA team put together the Garmr prototype and initial test cases.

Garmr has been public since its initial version, but the tool has now reached the point where we will start to leverage it in our testing and CI processes. The tool works by running a series of tests against target URLs and reporting back the results. The results are currently formatted as a JUnit style XML report that can be consumed by other tools such as Jenkins.

Garmr Test Cases

Garmr currently supports two types of test cases that can be authored, an Active Test and a Passive Test. ActiveTests are expected to make at least one HTTP request, and return the most relevant HTTP response after the check is completed.

Here is an example of an ActiveTest that makes a simple HTTP GET request:

class WebTouch(ActiveTest):
    run_passives = True
    description = "Make a GET request to the specified URL, and check for a 200 response after resolving redirects."
    def do_test(self, url):
        response = requests.get(url)
        if response.status_code == 200:
            result = self.result("Pass", "The request returned an HTTP 200 response.", None)
        else:
            result = self.result("Fail", "The response code was %s" % response.status_code, None)
        return (result, response)

The test case makes an HTTP Get request, and passes or fails dependent on the response code. This very basic check does serve a purpose; it grabs an HTTP response to run passive tests against. For an example of a more complex check, look at the StsUpgradeCheck implemented in the corechecks module.

PassiveTest instances receive a copy of an HTTP response and analyze it to determine if the test passes or fails. In most circumstances, Garmr will run all of the configured PassiveTests against the result of each ActiveTest. The goal of a passive test is to inspect each the response of a query for properties that are expected from a secure web application.

This is an example of a passive test that checks an HTTP response for the presence of X-Frame-Options headers:

class XFrameOptionsPresent(PassiveTest):
    description = "Check if X-Frame-Options header is present."
    def analyze(self, response):
        xfoheader = "X-Frame-Options"
        xfo = xfoheader in response.headers
        if xfo == False:
            result = self.result("Fail", "X-Frame-Options header not found.", None)
        else:
            result = self.result("Pass", "X-Frame-Options header present.", response.headers[xfoheader])
        return result

The goal is to allow developers to create test cases that are specific to their applications and gain the benefit of running pedantic checks for security related attributes such as cookies and headers each step of the way. Note that there is no practical limitation on what a passive check does, as long as the result object is returned properly.

Using Garmr

The current version of Garmr can be downloaded from the Github repository at https://github.com/ygjb/Garmr.

Getting, installing, and using Garmr is very easy:

git clone https://github.com/ygjb/Garmr.git
cd Garmr
sudo python setup.py install
garmr -u http://my.target.app

Limitations

Garmr is an alpha tool. The only part of it that we expect to remain stable at this point is the Xml Report format that it produces, since this is specified by the Jenkins tool chain that we are integrating with.

This tool is not intended to replace a typical dynamic or static analysis tool any more than the existence of Unit Tests replaces end to end functional testing, but it does provide a simple facility for QA, development, and security teams to collaborate on web application testing.

Currently the tool can be used to run a number of simple tests, and supports the ability to load modules; two examples of how a module would be written are included in djangochecks.py and webchecks.py

There is a list of features still to come:

less noisy CLI
proxy support (already supported in requests)
sessions (controlled; sequence for active tests, with a cookie jar that is propagated through the session)
detailed reporting, including the ability to record all HTTP requests and responses generated
the ability to filter which passive checks are run by check name or by check type (i.e. cookies, headers, content-type, etc)
support for additional protocols (websockets, spdy)
Implement instances of each test case for each target scanned to allow them to retain state as a set of tests progresses.

I am very excited to see how the tool will develop over the next few months as we have an intern who will be working to implement these and other features, so please test it out, give us feedback (patches and feature requests are welcome too!).

Researchers Find "Massive" Security Flaws in Cloud Architectures - CSO Online - Security and Risk

(author unknown) — Wed, 26 Oct 2011 17:26:08 -0400

Private Sector Data Breaches Up 58 Percent

(author unknown) — Wed, 26 Oct 2011 00:00:00 -0400

Awareness of obligations increases, but is it being translated into action?

Securing Mobile Data at the Application Layer

(author unknown) — Sun, 23 Oct 2011 20:32:11 -0400

Researchers find way to tighten control over mobile device data

George V. Hulme — Thu, 20 Oct 2011 00:00:00 -0400

The technology focuses on securing data and applications rather than the device.

Astyran: The OWASP AppSensor for the Faint of Heart

(author unknown) — Wed, 28 Sep 2011 16:12:42 -0400

Recently I experienced the same thing and was asked to give a short presentation about the OWASP AppSensor. Thanks to the Google and the Internet I managed to pull it off, but I promised myself to be better prepared next time.

So for everyone needing to give an introduction to the OWASP AppSensor, here is my one drawing and my three slides. Should be enough for an experienced consultant to go on for hours. I did.

Japan's biggest defence contractor hit by hackers

John Leyden — Mon, 19 Sep 2011 10:42:10 -0400

Submarine plant, missile factory among targets

Japan's biggest defence contractor, Mitsubishi Heavy Industries, has become the victim of a malware-based hack attack.…

Article Published: Creating Attack-Aware Software Applications with Real-Time Defenses

Michael Coates — Tue, 13 Sep 2011 10:30:00 -0400

CrossTalk, The Journal of Defense Software Engineering, has just published our article "Creating Attack-Aware Software Applications with Real-Time Defenses" in the September edition. A huge kudos to the entire team and especially Colin Watson for leading this effort.

Authors:

Colin Watson @clerkendweller
Michael Coates @_mwc
John Melton @carosec
Dennis Groves @degroves

Abstract. Attack-aware software applications provide attack detection and real-time defensive response with a very low false-positive rate. This technique allows an application to detect and neutralize a threat before the attacker exploits a known or unknown vulnerability. The approach is especially suited to soft-
ware applications with high information assurance requirements such as in the defense, critical national infrastructure, and financial service sectors to protect against cyber espionage, fraud, business logic abuse, tampering, and theft. The Open Web Application Security Project (OWASP) has developed a methodology, documentation, code and pilot demonstration which can be freely used to apply the concepts; this project is called AppSensor.

Full Article (pdf)

-Michael Coates - @_mwc

Hackers carry out website hijacks

(author unknown) — Mon, 05 Sep 2011 06:20:42 -0400

Turkish hackers managed to re-direct visitors away from high-profile sites, including Vodafone and the Daily Telegraph.

DigiNotar Removal Follow Up

Johnathan Nightingale — Fri, 02 Sep 2011 21:28:48 -0400

Earlier this week we revoked our trust in the DigiNotar certificate authority from all Mozilla software. This is not a temporary suspension, it is a complete removal from our trusted root program. Complete revocation of trust is a decision we treat with careful consideration, and employ as a last resort.

Three central issues informed our decision:

1) Failure to notify. DigiNotar detected and revoked some of the fraudulent certificates 6 weeks ago without notifying Mozilla. This is particularly troubling since some of the certificates were issued for our own addons.mozilla.org domain.

2) The scope of the breach remains unknown. While we were initially informed by Google that a fraudulent *.google.com certificate had been issued, DigiNotar eventually confirmed that more than 200 certificates had been issued against more than 20 different domains. We now know that the attackers also issued certificates from another of DigiNotar’s intermediate certificates without proper logging. It is therefore impossible for us to know how many fraudulent certificates exist, or which sites are targeted.

3) The attack is not theoretical. We have received multiple reports of these certificates being used in the wild.

Mozilla has a strong history of working with CAs to address shared technical challenges, as well as responding to and containing breaches when they do arise. In an incident earlier this year we worked with Comodo to block a set of mis-issued certificates that were detected, contained, and reported to us immediately. In DigiNotar’s case, by contrast, we have no confidence that the problem had been contained. Furthermore, their failure to notify leaves us deeply concerned about our ability to protect our users from future breaches.

Staat der Nederlanden Certificates

DigiNotar issues certificates as part of the Dutch government’s PKIoverheid (PKIgovernment) program. These certificates are issued from a different DigiNotar-controlled intermediate, and chain up to the Dutch government CA (Staat der Nederlanden). The Dutch government’s Computer Emergency Response Team (GovCERT) indicated that these certificates are issued independently of DigiNotar’s other processes and that, in their assessment, these had not been compromised. The Dutch government therefore requested that we exempt these certificates from the removal of trust, which we agreed to do in our initial security update early this week.

The Dutch government has since audited DigiNotar’s performance and rescinded this assessment. We are now removing the exemption for these certificates, meaning that all DigiNotar certificates will be untrusted by Mozilla products. We understand that other browser vendors are making similar changes. We’re also working with our Dutch localizers and the Bits of Freedom group in the Netherlands to contact individual site operators using affected certificates (based on the EFF’s SSL Observatory data).

The integrity of the SSL system cannot be maintained in secrecy. Incidents like this one demonstrate the need for active, immediate and comprehensive communication between CAs and software vendors to keep our collective users safe online.

Johnathan Nightingale
Director of Firefox Engineering

Most security pros don't think a breach will happen to them

(author unknown) — Wed, 31 Aug 2011 01:33:42 -0400

New findings from a Tenable Network Security study have uncovered an "It Won’t Happen to Me" mentality amongst security professionals. According to the study, more than 90 percent of attendees surv...

owasp-goatdroid - A fully functional training environment for ...

(author unknown) — Mon, 29 Aug 2011 00:09:55 -0400

The OWASP GoatDroid Project pays homage to the OWASP WebGoat Project. It is a fully functional and self-contained environment for learning more about ...
https://code.google.com/p/owasp-goatdroid/

Banks Blocking More Fraudulent Money Transfers From Hijacked Business Accounts - CSO Online - Security and Risk

(author unknown) — Fri, 26 Aug 2011 13:38:35 -0400

August 25, 2011 — Network World — Cybercriminals increasingly are targeting business bank accounts to set up fake money transfers. But the good news is, banks seem to be getting better at stopping some fraudulent transactions before stolen funds leave the institution.

How Carriers Hamstring Your Smart Phone - Technology Review

(author unknown) — Fri, 26 Aug 2011 13:29:14 -0400

"Middlebox" study reveals slow downloads, battery drains, and security flaws.

Coordinated ATM Heist Nets Thieves $13M

BrianKrebs — Fri, 26 Aug 2011 00:01:09 -0400

An international cybercrime gang stole $13 million from a Florida-based financial institution earlier this year, by executing a highly-coordinated heist in which thieves used ATMs around the globe to cash out stolen prepaid debit cards, KrebsOnSecurity has learned.

Jacksonville based Fidelity National Information Services Inc. (FIS) bills itself as the world’s largest processor of prepaid debit cards; FIS claims to process more than 775 million transactions annually. The company disclosed the breach in its first quarter earnings statement issued May 3, 2011. But details of the attack remained shrouded in secrecy as the FBI and forensic investigators probed one of the biggest and most complex banking heists of its kind.

FIS said it had incurred a loss of approximately $13 million related to unauthorized activities involving one client and 22 prepaid cards on its Sunrise, Fla. based eFunds Prepaid Solutions, formerly WildCard Systems Inc., which was acquired by FIS in 2007.

FIS stated: “The Company has identified that 7,170 prepaid accounts may have been at risk and that three individual cardholders’ non-public information may have been disclosed as a result of the unauthorized activities. FIS worked with the impacted clients to take appropriate action, including blocking and reissuing cards for the affected accounts. The Company has taken steps to further enhance security and continues to work with Federal law enforcement officials on this matter.” The disclosure was scarcely noted by news media.

KrebsOnSecurity recently discovered previously undisclosed details of the successful escapade. According to sources close to the investigation, cyber thieves broke into the FIS network and targeted the Sunrise platform’s “open-loop” prepaid debit cards. The balances on these prepaid cards aren’t stored on the cards themselves; rather, the card numbers correspond to records in a central database, where the balances are recorded. Some prepaid cards cannot be used once their balance has been exhausted, but the prepaid cards used in this attack can be replenished by adding funds. Prepaid cards usually limit the amounts that cardholders can withdraw from a cash machine within a 24 hour period.

Apparently, the crooks were able to drastically increase or eliminate the withdrawal limits for 22 prepaid cards that they had obtained. The fraudsters then cloned the prepaid cards, and distributed them to co-conspirators in several major cities across Europe, Russia and Ukraine.

Sources say the thieves waited until the close of business in the United States on Saturday, March 5, 2011, to launch their attack. Working into Sunday evening, conspirators in Greece, Russia, Spain, Sweden, Ukraine and the United Kingdom used the cloned cards to withdraw cash from dozens of ATMs. Armed with unauthorized access to FIS’s card platform, the crooks were able to reload the cards remotely when the cash withdrawals brought their balances close to zero.

It’s still not clear who was responsible for this attack on FIS. The company declined comment. The FBI would neither confirm nor deny that it is investigating. But the breach is eerily similar to an intricate 2008 attack against RBS WorldPay, an Atlanta-based unit of the Royal Bank of Scotland. In that heist, crooks obtained remote access to RBS’s systems and used 44 counterfeit prepaid cards to withdraw more than $9 million from at least 2,100 ATM terminals in 280 cities worldwide. The attack was so sophisticated and alarming that President Obama referred to it in a landmark cybersecurity speech.

Federal prosecutors alleged that the 2008 RBS theft was orchestrated by at least eight men from Estonia and Russia — the alleged ringleader was extradited to face charges in the United States.

Another key figure in that case was Viktor Pleschuk of St. Petersburg, Russia, who monitored the fraudulent ATM withdrawals remotely and in real-time using compromised systems within the payment card network. Pleschuk and Russian accomplice Eugene Anikin were arrested and charged in Russia. Prosecutors asked the court for five- and six-year sentences, but those requests were ignored. Pleschuk and Anikin agreed to plead guilty for their roles in the RBS heist in exchange for suspended sentences (probation, but no jail time).

Women's Information Security Scholarship Offered By (ISC)2 - CSO Online - Security and Risk

(author unknown) — Tue, 23 Aug 2011 13:20:57 -0400

August 18, 2011 — CSO — (ISC)2, the not-for-profit information security professional body, has launched its Foundation's new scholarship program for women.

The aim of the program is to encourage women from around the world, including the UK, to undertake study in information security and eventually pursue a career in the industry.

Android attacks now outpace all other mobile platforms, says McAfee

Robert Westervelt, News Director(editor@searchsecurity.com — Tue, 23 Aug 2011 10:39:40 -0400

McAfee says Googleâ€™s Android platform has become the most popular target for mobile malware developers, outpacing Java Micro Edition and Symbian.

SourceForge.net: Easier Security Code Reviews with Agnitio

(author unknown) — Sun, 21 Aug 2011 20:32:50 -0400

Easier Security Code Reviews with Agnitio

Posted on Friday, August 19th, 2011 by Elizabeth Naramore
Category: Community Showcase

These days, creating secure applications is of the utmost importance, and as crackers improve their skills, security is becoming more and more challenging. Developers who are responsible for this area are only as good as the tools available to them. If this is you, and you work on Windows, then you might want to have a look at Agnitio. This security review tool assists you in conducting manual security reviews, and provides code review metrics and reporting for static analysis.

Insulin pump attack prompts call for federal probe

Dan Goodin — Fri, 19 Aug 2011 16:23:30 -0400

Security of medical devices questioned

The hack of a commercially available insulin pump that diabetics can control wirelessly has attracted the attention of US lawmakers who oversee the safety of the nation's airwaves.…

AES crypto broken by 'groundbreaking' attack

Dan Goodin — Fri, 19 Aug 2011 01:00:03 -0400

Faster than simply brute-forcing

Updated Cryptographers have discovered a way to break the Advanced Encryption Standard used to protect everything from top-secret government documents to online banking transactions.…