Posts Tagged ‘Web Security’

Odd bugs and the case of an aging database

Sunday, August 29th, 2010

I was doing some troubleshooting recently trying to fix some issues reported in the Captcha of a registration system. The Captcha wasn’t always properly displaying and wouldn’t recognize valid code entries intermittently. After tracing some of the PHP to find just how the Captcha’s were being generated and managed, I found my way to the MySQL database and the table storing the values.

It took only a glance at the last and only row  to determine what the problem was – The primary key for the Captcha table was defined as an INT and had reached the value 65535. With the key unable to increment, any non-valid attempt (be it a bot or someone who couldn’t read the Captcha properly), would cause the system to lock up until the 1 in 100,000 chance that the same value was re-generated and someone correctly matched the code.  The failure resulting from this oversight was essentially a Denial of Service on the registration system.  To temporarily solve the issue, I did a simple reset of the primary key[1], which should buy a few years of development time to resolve the core issue.

This situation possesses an interesting design consideration when building long-running applications, even when you aren’t planning on storing a large amount of data for a long time. Tables that are frequently populated with new data should have measures in place to either handle recycling over-used values or should be built in a way that avoids these sort of conditions.  In the case of the Captcha above, the primary key was hardly used and could have been factored out entirely without the application running differently.

Looks like it’s time to get this database a subscription to AARP and some Depends….

References:

[1] Resetting a Primary Key

Tags: , , , , , , ,
Posted in Articles | No Comments »

psych0tik releases GoogleSharing proxy

Sunday, February 7th, 2010

A few weeks ago we released a post on staying anonymous online through the use of various configuration changes and Firefox add-ons. One of the Firefox add-ons mentioned was the GoogleSharing proxy add-on. This allows Firefox to reroute unauthenticated requests to Google services through a community proxy that hides your identity while you browse the internet. This add-on is still in beta, so we browsed the source and did a few tests with tcpdump to ensure that it was infact doing what it claimed to be.

GoogleSharing will reroute the following Google services (however, it can be configured not to reroute requests to specific services):

  • Maps
  • Groups
  • News
  • Video
  • Products
  • Images
  • Finance

This is a really neat concept for staying anonymous from Google. The proxy itself masks your IP address, cookies and other headers so that even while logged into other Google services, such as Gmail, searches are not linked to you. We validated this through the use of tcpdump [see figure 1 and 2(generated by Wireshark)] and you can also validate it based on the different appearance of Google web pages, including the link for “Sign Out” which reads “Sign In” with GoogleSharing enabled.

Figure 1 – GoogleSharing is disabled. We can see the lookup of google.com via DNS and then the request (with the search string) being sent to an IP address returned from the DNS request

Figure 2 – GoogleSharing is enabled (however, not using SSL.) We can see the lookup of the psych0tik development proxy, storm, and the following request to storm’s IP address with the Google search.

You can access the psych0tik GoogleSharing proxy by adding it to your proxy list.

Proxy Server: storm.psych0tik.net

Non-SSL Port: 8080

SSL Port: 8443

If you choose to use the proxy in SSL mode (highly recommended), you will need to do the following:

  1. Browse to https://storm.psych0tik.net:8443
  2. When prompted, add an exception for the SSL certificate
  3. Verify under GoogleSharing’s options for the psych0tik server that “use SSL” is enabled
  4. Enjoy!

If you have any questions or issues please contact a psych0tik staff member via our psych0tik IRC. We’ve established #googleshareproxy to provide general chat with regards to this service.

-psych0tik Staff

Tags: , , , , , , , , ,
Posted in psych0tik News | No Comments »

Anonymous browsing or being a web ninja

Friday, January 29th, 2010

These days it seems like everyone is looking at what you do online. Online advertisers make money from the ads placed on your site, but they also gather statistics about all your visitors for their own purposes. Search engines store information for a variety of reasons. Social networks contain more information on our past than most of us can probably remember.  With the rise in popularity of the internet and it’s change from a place for geeks, hackers, and nerds to a place for the whole family it seems that the idea of anonymity online has almost disappeared. The internet has gone from the dark back-row in a movie theater to the digital equivalent of Orwell’s 1984.

I’ve always been skeptical about the idea of an intertwined real and internet life. When I was growing up and chatting to the sounds of a modem, I remember being told not to post my name online, not to tell people what school I went to, or my birthday. What are the first few questions when you register for Facebook? Who can see those? Obviously Facebook is a bit different than someone you meet in a chatroom, but it is interesting to think how freely we give out information we used to keep more protected. The reason richo set up the first psych0tik IRC server was that we didn’t like having conversations monitored by the guys running the messenger services. proxyElite was born from a desire to have reliable access to web proxies and aide in anonymous access. But I digress.

There are aspects of this problem that I simply don’t want to address. Social networks, photo-sharing sites, and blogging all seem to be inevitable parts of daily life. These are however known leakages. You don’t post to your blog or update your Facebook status with the idea that it’s just for your records. This is an issue as end-users we can do little more than educate ourselves on. Look at the Privacy Policy of websites and check your settings for options to disallow other users from viewing your content.

Beyond all these information giants are the internet’s motion detectors. Silent scripts and hidden images along with tracking cookies follow your movement, constantly reporting back to their creator’s servers. A recent post by the EFF shows that even your browser’s headers can be used as a unique identifier the majority of the time. [They provide a page that shows the entropy lost by each field checked, see the references below.]

In such a complex environment as the internet it can be quite difficult to tackle a problem as large as this, but with a mixture of configuration changes, Firefox Add-ons, and using proxy solutions it is possible to add to the difficulty of tracking your online activities.

Reducing and eliminating tracking cookies is a great place to start.

Configuring Firefox to delete private data when you close it is a great way to effortlessly limit the duration a tracking cookie is present. Many antivirus solutions also have an option to search for tracking cookies and remove them. This provides an external method to clear these, independent of the browser.

I use a multitude of Firefox Add-ons to not only protect my browser from malicious content, but also to help eliminate as many of the tracking technologies as possible. NoScript and Ghostery help to block scripts that might secretly send information back. RequestPolicy is great for defending against embedded tracking images (as well as CSRF); however, it is a bit over-zealous. User-Agent switcher allows me to adjust the entropy of some of my headers to be more “standard.”

Finally, using web proxies, Tor, or services like GoogleSharing it’s possible to cloak yourself even further. These services work to either distribute your connection across other machines or to reroute it through another. The Firefox TorButton Add-on also helps to mask your headers to make your session less unique. GoogleSharing is unique in that it doesn’t proxy all requests. Rather, only requests made to non-authenticated Google services like Google’s search. The requests are routed through a GoogleSharing server (via a Firefox Add-on), normalized, and passed through. Other users using the same proxy would add to the terms and add more chaff to deter monitoring by Google.

The Frankenstein of security that is now my browser with these assorted Add-ons and changes isn’t exactly as fluid or functional as before. A lot of sites break until I sort out which Add-on has blocked which critical script. Proxies and Tor make requests run more slowly. The web is definitely a more complicated place, but isn’t the effort worth it? You wouldn’t casually walk down a dark alley filled with dangerous looking folk without some protection. All the family friendly, Web 2.0 sites and services make the internet look like a lovely place, but let’s not forget that the dark alleys exist and are often in between all the “safe havens” we travel to.

References:

EFF’s Panopticlick Research Project on Determining Browser Entropy

EFF Blog on User Tracking on the Modern Web Part2 Part3

GoogleSharing Firefox Add-on

Ghostery Firefox Add-on

Mozilla Support on Clearing Private Data

Tags: , , , , , , , ,
Posted in Articles | No Comments »

The password problem

Friday, November 27th, 2009

Odds are good if you’ve reached this blog, you have an account on at least one website somewhere on the wild wild web. This account could be on a web application ranging from something as critical as a finical institution or your primary email account to something as trivial as your account on some random blog. I’ve got far too many to even be able to number, falling everywhere in between those two lines, and have created my fair share of passwords. Normally, this is the point where the blogger starts ranting about “longer passwords” or “use a passPHRASE” or “use special characters.” This time however, I’m pointing the finger at the application designers.

Originally, this post was going to be little more than my frustration with not being able to use passwords that I desired, due to restrictive requirements on applications. After gathering some data, to have a soap box to stand on, I realized that some of these “requirements” actually go beyond the surface level annoyance and actually affect the security of your account directly. Some of these applications go as far as to actually prevent you from using a secure password or reveal other weaknesses in the application’s design. I’m sure this isn’t a new find by any means, but some of the “requirements” I’ve seen are pretty outrageous. The most startling bit is a good majority of the examples I’ll be using in this post have come from accounts falling into that “critical” category.

Before I go on and discuss the various “vulnerabilities”, I’d like to note that the list below is definitely not a comprehensive list of all web application password vulnerabilities. Rather, everything below was gathered from requirement messages listed at the time of creating the password and other things I noticed while creating the account. The purpose of this list is to explain each issue, on both a technical and non-technical level, as well as to provide recommendations for end users encountering each. Examples used here are gathered from live, current web applications to represent the current issue as well as to provide real world examples as teaching tools for detection.

Restrictive Length

This was probably the most prevalent poor password requirement I came across, which is odd to me as I’ve never seen any reason to restrict a user’s password other than to require a minimum length. Despite this, we see the following types of messages all across the web:

Password must be 6 to 8 characters in length

Please enter a password that has a maximum length of 12 characters

By reducing limiting the number of characters a password can contain the number of possible passwords, the keyspace, is also reduced. This means that a malicious user who is either brute forcing the application or has obtained a copy of the hash and is cracking it has to check a smaller number of passwords.

Other than simply restricting length through verbose and obnoxious warnings, some developers will simply truncate your password. In some situations, this truncation happened through an html attribute defining the maximum length of the password creation field as well as the login field. This double-combo actually makes things worse as it may be some time before you notice that your 23 character password is being cut-off at 12 characters.

Restrictive Character Set

I can almost build a case for these requirements. Almost. I’ve spoken with developers who have restricted characters allowed in your password by the same rules they disallow characters for SQL injection blocking or cross site scripting prevention. In other cases, I’ve seen character sets reduced by case-insensitivity.

Contain no spaces or special characters (eg <, &, >, *, $, @)

No spaces or invalid symbols

Contain 6 to 8 characters – at least one letter and one number (not case sensitive)

In these examples you can see developers trying to limit their attack surface by preventing any sort of attack on their application through the password field. Where this argument breaks down is, a proper application should be one-way hashing the passwords. When the password is hashed these special characters are eliminated and thus rendered safe.

In the third example, you can see that the keyspace is reduced even further by removing 26 characters, either the upper or lower case letters. At the same time they have reduced the keyspace characters to 36, they’ve also limited password length on both the upper and lower end.The combination of these two restrictions effectively reduces the keyspace from 218,340,105,584,896 (8 characters, upper/lower-case, numbers) to 2,821,049,441,280 (6-8 characters, case insensitive, numbers), just over 1% of the password possibilities.

Defending yourself

In many cases, when you come upon a web application as inherently insecure as the ones listed above it’s probably best to simply walk away and not bother with it, however; there are cases where you may need to create and use and account. It’s possible to mitigate some of the risks of restrictive passwords by paying attention and adjusting your password accordingly.

Probably the greatest risk of the issues outlined above is the possibility of your password being compromised by another user. As it’s impossible to create a stronger password than the application will allow, this reduces our options drastically. I suggest creating a couple passwords and then group accounts into “security levels” based on their requirements. By having multiple passwords and using them on web applications with varying levels of security, you can ensure that a compromise due to one of these poor password policies is limited to a password only used on other such sites.

Detection is important because without it you aren’t able to correctly classify the security level of the application’s password policies. Beyond simply looking at the requirements listed, a complex password designed to trigger applications with poor password management to fail can be used to test the application.

#th!$iSaG<><>|)’test–p@ssword”!*

The password above can be used to test applications. By including common SQL injection characters, cross site scripting characters, upper/lower case, numbers, commonly denied symbols and a length 33 characters of  you can test the whole array of restrictions. Beyond simply testing the restrictions, it actively tests the application for SQL injection potential. The ‘ and ” characters included in the password are designed to trigger SQL errors if they are not handled (either by hashing or SQL character stripping.) An application that throws an error on this password should actually be considered significantly less secure.

Tags: , , , , ,
Posted in SamuraiNet Archive | 1 Comment »

Gmail Vulnerability: All hype?

Wednesday, November 26th, 2008

As far as I know this has not been patched yet.

There is a very simple solution to monitoring this problem. Simply adding your own filter with an alternative email address. I just tested this and while the email is sent away from your inbox, it is sent to both addresses. This way you will atleast have a record, and if you check that address more regularly it will act as a notification system.

The exploit is not quite as glamorous as that article depicts either. It’s a Cross Site Request Forgery vulnerability introduced by an improperly implemented token key-pair. As the author mentions, the token should be changed at each request, rather than each session. As mentioned in the article, both the ‘Session Authorization Key’, the token, and the ‘Unique Account Identifier’, which I assume is something like the session key are required. Neither is trivial. The session key would require a vulnerability, such as Cross Site Scripting or Tracing vulnerability, to be accessed. The token must be read from the page that you are posting ‘from.’ Because of JavaScript’s sandbox, this cannot be done through the use of an iFrame or AJAX request. It must be done from the client’s localhost or the domain, in this case Google.

Obviously it is possible, since Google has responded to the threat and proof has been shown of domains being stolen, but nothing new has happened here. It is simply a clever implementation of a few common tricks.


http://geekcondition.com/2008/11/23/gmail-security-flaw-proof-of-concept/

http://googleonlinesecurity.blogspot.com/2008/11/gmail-security-and-recent-phishing.html

Tags: , , , , ,
Posted in SamuraiNet Archive | No Comments »

Cookies, Cookies, and Cookies

Sunday, June 8th, 2008

[April, 2010]Update:

Mozilla removed this functionality from Firefox in version 2 and will not be reviving it. I’m going to leave the text below, as it does describe P3P, but any mention of Firefox should be considered as an example. For more information about Mozilla’s decision to remove P3P functionality from FireFox, please see the Bug Report.

————-

That’s cookies times three… or perhaps Third party cookies. Not the world’s greatest pun, but all the same a decent intro. In this posting I will explain third party cookies and why they are bad as well as provide a method to deal with these pesky cookies without destroying your “website experience.

What are cookies and what are “third party” cookies?

Cookies are small bits of information stored on your computer. Web-sites place tracking information in these cookies to remember who you are, if you’ve logged in, in the case of shopping carts, what you’ve purchased, and all sorts of other useful information. Most of this information is not publicly accessible, even with physical access to the machine because the information is stored server-side; however, the Session ID or other information is stored within the cookie. (This is what allows “session hijacking” with XSS.)

Cookies come in all shapes and forms: first party cookies, third party cookies, session cookies, etc. A first party cookie is issued by the site you are visiting and is only accessible by that website. For example, when you visit my blog, samurainet.org issues you a cookie to keep track of if you’ve logged in and for the “unique visit” counter. Only samurainet.org can access this cookie and it’s information and thus makes it a first party cookie.

A third party cookie can be issued by any web-site and subsequently can be accessed by any web-site. The main purpose of these are for tracking users and advertising. These cookies are not important to the operation of web-site, unlike first party cookies that may be carrying your Session ID.

Managing cookies with FireFox.

Firefox provides settings for cookie management. You will find these settings in Firefox’s advanced configuration. There are three settings that I will discuss here, network.cookie.cookiebehavior, network.cookie.p3plevel, and network.cookie.p3p. Each contains values that can be modified to affect the overall behavior of Firefox when dealing with cookies.

Network.cookie.cookiebehavior – This controls how the browser allows cookies. ( values: 0 – allow all, 1 – allow first party only, 2 – disallow all, 3 – allow cookies based on the P3P policy)

Network.cookie.p3plevel – This specifies the P3P acceptance policy when Network.cookie.cookiebehavior is set to 3. (values: 0 – Low[afafaaaa], 1 – Medium[ffffaaaa], 2 – High[frfradaa], 3 – Custom)

Network.cookie.p3p - This specifies the custom P3P policy. The policy specifies 8 positions with 4 separate values that I will explain below.

Selecting the policy for you.

The P3P (Platform for Privacy Preferences, a W3C project) policy dictates the handling of both first and third party cookies from sites of various levels of trust. The trust is based on what the web-site claims to be doing with your information and cookie information. As a personal rule, I distrust even reputable web-sites and prefer to keep cookies for as short a time period as possible.

P3P gives four possible values ( A – accept, D – downgrade to a session cookie, F – flag, and R – reject) for cookie management as well as 8 various scenarios for the cookie to fall under. The P3P cookie “byte” is structured as followed. (Taken from the Mozillazine.org web-site)

  1. First party cookies from sites with no privacy policy
  2. Third party cookies from sites with no privacy policy
  3. First party cookies from sites that collect personal information without permission
  4. Third party cookies from sites that collect personal information without permission
  5. First party cookies from sites that collect personal information only with permission
  6. Third party cookies from sites that collect personal information only with permission
  7. First party cookies from sites that don’t collect personal information
  8. Third party cookies from sites that don’t collect personal information

Firefox has built-in cookie management that ranges from blank policies (in the cookiebehavior) for accepting all, rejecting all, or accepting only first-party cookies as well as pre-built P3P policies of Low (accept all and flag suspicious third party), Medium (flag all suspicious first and third party, and accept the rest), and High ( flag suspicious first party, reject suspicious third party, accept all others and downgrade third party that collect personal information.) [I have used suspicious to refer to positions 1-4 since the site either claims no privacy policy or is collecting information without permission.]

That sure is a lot to process, but are those policies good? That really depends on if they suit your needs. My policy is a custom policy, meaning I have set cookiebehavior’s value to 3 as well as p3plevel’s value to 3 (custom). I have then specified the following p3p value: DRDRDRDR. Very simply I downgrade all first party cookies (meaning they will be deleted when I close Firefox) and I reject all third party cookies, regardless of where they came from. This provides me blanket protection against third party cookies, since I don’t care about advertising and I don’t want to be tracked. Also, it provides me the ability to still use all web-sites normally, but stops them from tracking me beyond one session (at least by using cookies.)

References:

http://kb.mozillazine.org/Network.cookie.cookieBehavior

http://kb.mozillazine.org/Network.cookie.p3p

http://forums.mozillazine.org/viewtopic.php?p=2576901

http://kb.mozillazine.org/Network.cookie.p3plevel

http://www.clicktracks.com/insidetrack/articles/first_v_third_cookies.php

http://www.w3.org/P3P/

Tags: , , , , , , ,
Posted in SamuraiNet Archive | 3 Comments »