Breaking Web Browsers - Nice method for getting passwords and other user details (by Jeremiah Grossman)

Jeremiah Grossman, Breaking Web Browsers from AppSec USA 2010 on Vimeo.

AES 256 Encryption & Decryption using C# - The short way

More organizations today understand that sensitive information should be stored encrypted in their repositories (Examples: user passwords, credit cards, SSN etc). Also there are regulations and security standards such as the PCI:DSS which requires the encryption of credit card numbers.
Thus, developers in such organizations encounter the issues of encryption frequently and are required to find appropriate solutions. There are a lot of ways to encrypt/decrypt information by using buld-in .NET libraries for encryption.
I decided to present you here the shortest way that i found for doing that.

The following code is an example of the short way to encrypt/decrypt data using AES algorithm.
Please notice that in this example i stored the encryption key in the code, but of course in the real life the key should be stored in a secure repository with appropriate ACL privileges.

using System;
using System.Collections.Generic;
using System.Text;
using System.IO;
using System.Security.Cryptography;

namespace aes3
{
    class aes3
    {
        static void Main(string[] args)
        {

           RijndaelManaged  AesEncryption = new RijndaelManaged();
           string plainStr = "AES me"; // The text that would be encrypted
           AesEncryption.KeySize = 256; // 192, 256
           AesEncryption.BlockSize = 128;
           AesEncryption.Mode = CipherMode.CBC;
           AesEncryption.Padding = PaddingMode.PKCS7;

           // The key should be generated prior and also should be stored in secure repository
            // with appropriate ACL priviledges.
           string keyStr = "cGFzc3dvcmQAAAAAAAAAAA==";
           string ivStr = "cGFzc3dvcmQAAAAAAAAAAA==";
           byte[] ivArr = Convert.FromBase64String(keyStr);
           byte[] keyArr = Convert.FromBase64String(ivStr);
           AesEncryption.IV = ivArr;  
           AesEncryption.Key = keyArr;
    
           // This array will contain the plain text in bytes
           byte[] plainText = ASCIIEncoding.UTF8.GetBytes(plainStr);

           // Creates Symmetric encryption and decryption objects   
           ICryptoTransform crypto = AesEncryption.CreateEncryptor();
           ICryptoTransform decrypto = AesEncryption.CreateDecryptor();
           // The result of the encrypion and decryption
           byte[] cipherText = crypto.TransformFinalBlock(plainText, 0, plainText.Length);
           byte[] decryptedText =  decrypto.TransformFinalBlock(cipherText,0,cipherText.Length);

            Console.Write("The plain text\"{0}\" in the encrypted format is:{1} \n",plainStr,Convert.ToBase64String(cipherText));
            Console.Write("The encrypted text \"{0}\" is decrypted to: {1}",Convert.ToBase64String(cipherText), ASCIIEncoding.UTF8.GetString(decryptedText));
            Console.Read();
        }
    }
}

Avoiding SQL Injection attacks in stored procedures that must be dynamic

No doubt that stored procedures which use dynamic construction of queries by string concatenation technique are vulnerable to SQL injection attacks. In order to prevent the attack, stored procedures should not use such technique and the sql statements should be written as a part of the T-SQL syntax with sql parameters.

However, under certain circumstances the use of dynamic construction is not avoidable.For example in Microsoft SQL Server you cannot write a T-SQL stored procedure which contains parameters such as table or a column name. In this case you must interpolate it into the SQL string using the string concatenation technique.

So what is the solution for this issue?

Very simple, actually there are two ways to do it as follows:
1. Using the quotename() function which was added in sql 7. The function takes two parameters: the first is a string, and the second is a pair of delimiters to wrap the string in. The default for the second parameter is []. Thus, quotename('table_name') returns [table_name]. quotename() takes care of nested delimiters, so if table name like table]_name, quotename() will return [table]]_name]
The following example demonstrates how treat the table_name in order to avoid the SQL Injection attack:

 
ALTER PROCEDURE [DBO].[EmptyTables]
(
@table_name NVARCHAR(30)
)
AS DECLARE @sql NVARCHAR(100)
BEGIN
IF CHARINDEX (']',@table_name,1 ) > 0
                        BEGIN
                                SET @error1='Error'
                                RAISERROR( @error1 ,11,1 );       
                        END
                SET @sql='TRUNCATE TABLE ' + quotename(@table_name)
                EXEC sp_executesql @sql
END

2. Using the [] characters in order to indicate that the table or the column name is an object. In such case if the attacker injects the following query in the table_name paramater as follows: sometable';drop table users --, the database will raise the following error :Cannot find the object "';drop table users --'" because it does not exist or you do not have permissions.
The following example demonstrates how treat the table_name in order to avoid the SQL Injection attack:

 
ALTER PROCEDURE [DBO].[EmptyTables]
(
@table_name NVARCHAR(30)
)
AS DECLARE @sql NVARCHAR(100)
BEGIN
IF CHARINDEX (']',@table_name,1 ) > 0
                        BEGIN
                                SET @error1='Error'
                                RAISERROR( @error1 ,11,1 );       
                        END
                SET @sql='TRUNCATE TABLE [' + @table_name + ']'
                EXEC sp_executesql @sql
END

Tabnabbing - an example

The example:

Improper Authentication Mechanism in 3Com Wireless8760 Dual Radio 11a/b/g Poe Access Point

Recently i found the following vulnerability in the 3Com Wireless8760 web administration interface: If one user is authenticated to the web interface, other users can access to internal pages without further authentication. That means that one opened session is enough between the user and web administration , and other users can also access to the web administration interface.

Malicious user can wait until ones logins to the interface and then he can access and administer 3Com Wireless8760 Access Point without further authentication. Among different operations the malicious user can cause to Denial of Service (Dos) attack to the entire network by changing the configuration such as IP addresses.

Man infects himself with computer virus

University of Reading researcher Mark Gasson has become the first human known to be infected by a computer virus. The virus, infecting a chip implanted in Gasson's hand, passed into a laboratory computer. From there, the infection could have spread into other computer chips found in building access cards. Read More...

Fiddler GZIP Issue

Recenly, I found that the GZIP zip/unzip feature in fiddler does not work properly. There are applications which are based on HTTP protocol and also zip HTTP Requests and Responses with GZIP format. So I decided to write some script using Fiddler Script Editor for converting and extracting Requests that are in GZIP format. Here is the code, copy this to the CustomRules.js file (Rules---->Customize Rules)

public static ContextAction("GZIP Request")
       function GZIPRequest(oSessions:Session[]){
              Utilities.WriteArrayToFile("c:\\fidreq.txt",Utilities.GzipCompress(oSessions[oSessions.Length-1].requestBodyBytes));
              oSessions[oSessions.Length-1].LoadRequestBodyFromFile("c:\\fidreq.txt");
              }  
       public static ContextAction("UNGZIP Request")
       function UNGZIPRequest(oSessions:Session[]){
              var oBody = System.Text.Encoding.UTF8.GetString(Utilities.GzipExpand(oSessions[oSessions.Length-1].requestBodyBytes));
              oSessions[oSessions.Length-1].utilSetRequestBody(oBody);
       }
public static ContextAction("GZIP Response")
       function GZIPResponse(oSessions:Session[]){
       
              Utilities.WriteArrayToFile("c:\\fidres.txt",Utilities.GzipCompress(oSessions[oSessions.Length-1].responseBodyBytes));
              oSessions[oSessions.Length-1].LoadResponseFromFile("c:\\fidres.txt");
       }
public static ContextAction("UNGZIP Response")
       function UNGZIPResponse(oSessions:Session[]){  
              var oBody = System.Text.Encoding.UTF8.GetString(Utilities.GzipExpand(oSessions[oSessions.Length-1].responseBodyBytes));
              oSessions[oSessions.Length-1].utilSetResponseBody(oBody);
              oSessions[oSessions.Length-1].RefreshUI();
       }

After copying this code, and saving it in the CustomRules.js files, select one of the HTTP Requests which are in GZIP format, right click and... here it is...you will have 4 options: GZIP Request, GZIP Response, UNGZIP Response, UNGZIP Request Have fun ;-)

ATM Clickjacking

Fraudsters can install another keypad by covering the original existing ATM keypad. The 'new' keypad contains a memory block which can store PAN (credit card number) and PIN code while the customer tries to get money out of the ATM.

In such way, fraudsters can obtain credit card numbers and PIN codes and succeed in their frauds.

Why i called that as ATM clickjacking? Because it is very similar to webpage clickjacking definition. The user thinks that he clicks on legitimate link or button while actually he clicks on hidden functionality which performs unintended malicious operations.

OWASP TOP 10 - 2010 Released

The primary aim of the OWASP Top 10 is to educate developers, designers, architects, and organizations about the consequences of the most common web application security vulnerabilities. The Top 10 provides basic methods to protect against these vulnerabilities – a great start to your secure coding security program.

Ten most popular application security flaws