Dinis Cruz Blog

I guess it is official now :Microsoft: UAC not a security feature  (http://www.computerpartner.nl/article.php?news=int&id=4742)

I had some friends in Seattle that had told me that ‘UAC is NOT a security feature!!!!!!’ b, ut until now most Microsoft’s writings still talked up UAC’s security capabilities

Here is Mark’s Post: http://blogs.technet.com/markrussinovich/archive/2007/02/12/638372.aspx

And from Mark’s Comment “Vista makes tradeoffs between security and convenience, and both UAC and Protected Mode IE have design choices that required paths to be opened in the IL wall for application compatibility and ease of use.  ” what  I like to know is what paths are these? (or will Microsoft wait for public disclosure before documenting them?

other interresting posts:

• http://en.wikipedia.org/wiki/Security_and_safety_features_new_to_Windows_Vista#User_Account_Control
• http://www2.csoonline.com/blog_view.html?CID=28516
• http://windowsvistablog.com/blogs/windowsvista/archive/2007/01/23/security-features-vs-convenience.aspx

Here is my response to http://myappsecurity.blogspot.com/2007/01/xss-filter-to-protect-from-xss-attacks.html

This is a good but dangerous effort, the problem is in this example is that Anurag is applying a blackList filter and is only protecting against one case of xss.

Here is the original code code:

String html = request.getParameter(”html”);
out.println(”Here is the filtered output of the html you submitted.”);
out.println(filterRequest(html));

And if I change it to:

String html = “<a href=’” + filterRequest(request.getParameter(”url”)) + “‘>XSS link</a>”;
out.println(”Here is the filtered output of the html you submitted.”);
out.println(html);

which is another example of using user input to create a link

the filter can be easily bypassed.

1) normal request: http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextServlet

2) already a type of XSS since this type of redirection should not be allowed: http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com

3) and here is an XSS 101 payload: http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextPage’ onmouseover=’Javascript:alert(document.cookie)

4) or if you want to make sure the user cannot escape: http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=http://www.google.com’ onmouseover=’Javascript:alert(document.cookie)” style=’display:block;position:absolute;left:0;right:0;width:100%25;height:100%25 (thx pdp)

5) note that in example 4) above I could had used ” in the payload since your filter will convert ” to ‘ : http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=nextPage” onmouseover=”Javascript:alert(document.cookie)

6) of course that in this case you could always just do: http://127.0.0.1:8080/servlets-examples/servlet/XSSFilter?url=javascript:alert(document.cookie)

7) and even if you added ‘ to the filter (which might be a problem since in some case you will need to accept it), it wouldn’t cover for this case: String html = “<a href=” + filterRequest(request.getParameter(”url”)) + “>XSS link</a>”;

and lets not forget the XSS caused by double encoding or double decoding in the code

I hope this shows how hard it is to properly mitigate against XSS and that in most cases white listing is the only safe option (and even in those cases XSS might occur).

Another solution that is very rarely talked is to by default encode EVERYthing sent to out.println and force the developers to use strong-typed html classes to create HTML tags.

In the above example your would change

String html = “<a href=’” + filterRequest(request.getParameter(”url”)) + “‘>XSS link</a>”;
out.println(html);
for

safeHtmlBuilder.a html = safeHtmlBuilder.a(request.getParameter(”html”), “XSS link”)
safeHtml.out(html);

Assuming of course that safeHtmlBuilder.a(…) was built properly

Even better than encoding out.println would be to block the developer from invoking out.println directly (which could be enforced via (’Shock Horror!!!’) the Java security manager (or in Partial Trust in .Net)).

We would have a nice solution for XSS (and this is a good example of what I was talking about a while back on using Sandboxes to create environments where these types of vulnerabilities are very hard to exists)

Read the rest of this entry »

Here is a bunch of interresting stuff (for future reference)

• Web Application Security Professionals Survey (Dec. 2006)
• .NET Framework 2.0 Security Hole
• Feature Article: A Security Hole in ClickOnce Deployment
• Backdooring MP3 Files
• Inside CRT: Debug Heap Management
• Transcript of Richard Stallman at the 5th international GPLv3 conference; 21st November 2006
• AxMan ActiveX Fuzzer
• Fuzzing browsers for fun
• 5 challenges of web application scanning
• Challenges faced by automated web application security assessment tools
• Adding Self-healing capabilities to the Common Language Runtime and Manipulating Managed Execution Runtimes to Support SelfHealing Systems
• Packet Capture and Analyzer
• http://passivemode.net/
• Are You an Evangelist Too?
• Multiple CRLF Injection / HTTP Response Splitting Vulnerabilities In Google AdWords
• Electronic Commerce: Who Carries the Risk of Fraud?
• Deploying Microsoft .NET Framework Version 3.0 and Assessing the Business Need Behind .NET Framework 3.0
• Managed CodeGen and DebuggerVisualizer for DynamicMethod (Show me the IL) and Debugging Dynamically Generated Code (Reflection.Emit) and DebuggableAttribute and dynamic assemblies and Using Lightweight CodeGen from Partial Trust and RestrictedMemberAccess
• MS Security VP Mike Nash Replies
• Windows Native Debugging Internals

Jeremiah Javascript website login checker

http://jeremiahgrossman.blogspot.com/2006/12/i-know-if-youre-logged-in-anywhere.html

It’s working!!!!

Dinis Cruz