Application Security This Week for February 16

From the Absolute AppSec Podcast - learned about a really great article on how Account Enumeration is exploited.  I get pushback when I put it on reports, but it's a real vulnerability.

https://sidechannel.tempestsi.com/once-upon-a-time-there-was-an-account-enumeration-4cf8ca7cd6c1

 

Chrome is going to start blocking mixed content downloads, which are HTTPS pages that have links to HTTP files.  Search your codebase for HTTP!

https://blog.chromium.org/2020/02/protecting-users-from-insecure.html?m=1

 

America isn't the only country leaving their data exposed.

https://www.zdnet.com/article/netanyahus-party-exposes-data-on-over-6-4-million-israelis/

 

Exposing secrets in source code is a real thing.  I discovered a very cool tool that helps (if you are working in VS Code, which you should be) called Cloak.

https://johnpapa.net/hide-your-secrets-in-vs-code-with-cloak/

 

Finally, I have mixed feelings about this one.  Firefox will stop supporting TLS 1.0 and 1.1 soon and other browsers will surely follow.  I get it, there are flaws in those protocols, but they are better than nothing.  This feels a lot like gatekeeping to me (older machines run older browsers), and regular readers know that I am not saying that out of political correctness. Lemme know what you think in the comments.

https://www.theregister.co.uk/2020/02/10/tls_10_11_firefox_complete_eradication/

 

That's the news, folks.  Stay safe.

Application Security This Week for February 9

Christian Pedersen wrote a cool scanner for the Netscaler Gateway flaw, and is hosting it on Azure. 

https://cve-2019-19781.azurewebsites.net/

It is based on the TrustedSec POC

https://github.com/trustedsec/cve-2019-19781

 

Wacom tablets call the mothership every time you load up an application. The writeup has a fantastic breakdown on how to use available tools to find this shittery.

https://robertheaton.com/2020/02/05/wacom-drawing-tablets-track-name-of-every-application-you-open/

 

The Twitter API was exploitable by a direct object reference flaw that exposed phone numbers of users.

https://www.theregister.co.uk/2020/02/04/twitter_phone_numbers/

 

An ancient bug in Sudo (well by software standards anyway) allowed nonprivleged users to, well, do what superusers do.

https://thehackernews.com/2020/02/sudo-linux-vulnerability.html

 

That's the news folks.  Keep it frosty.

 

Application Security This Week for February 2nd

Simon Bennetts reminds me that OWASP ZAP also has a shiny new web presence, and an upgraded executable to go with it.

https://twitter.com/psiinon/status/1221482927768395778

https://www.zaproxy.org/docs/desktop/releases/2.9.0/

 

Good research on abusing Windows DLL configuration

https://www.fireeye.com/blog/threat-research/2020/01/abusing-dll-misconfigurations.html

 

More Azure problems - good old fashioned buffer overflow in the Stack.

https://thehackernews.com/2020/01/microsoft-azure-vulnerabilities.html?m=1

 

That's the news.  Stay safe out there.

Application Security This Week for January 26

You know that open S3 buckets are one of my pet peeves - well guess what.  Azure isn't any better.

https://www.zdnet.com/article/microsoft-discloses-security-breach-of-customer-support-database/

 

OWASP has launched their new web page based on GitHub. Controversial decision.  Starting to take shape, though.

https://owasp.org/

https://owasp.org/website/2020/01/15/website-migration-journey.html

 

Credential stuffing is rapidly becoming the appsec story of 2020. Check your users' passwords against the most common passwords list.

https://www.wired.com/story/disney-plus-hacks-credential-stuffing/

https://github.com/filtration/pullit

https://haveibeenpwned.com/Passwords

 

That's the news, folks.

Application Security This Week for January 19

Good Twitter thread on JavaScript based redirection and Cross-site Scripting.

https://twitter.com/hakluke/status/1216524131421655041

 

I use Burp Suite for a lot of my testing (though I do love ZAP as well).  Here is their roadmap for the next year or so.

https://portswigger.net/blog/burp-suite-roadmap-for-2020

 

You have probably heard that Microsoft's CryptoAPI has a bug.  The US Government has a good writeup.

https://www.us-cert.gov/ncas/alerts/aa20-014a

 

Speaking of governments, the UK cybercommand has a really creat article on security antipatterns.

https://www.ncsc.gov.uk/whitepaper/security-architecture-anti-patterns

 

And finally: SHA-1 is now proveably broken.  Time to move on from it as a session identifier.

https://eprint.iacr.org/2020/014.pdf

 

That's the news, folks.

Winner's writeup for CodeMash CTF 2020

Austin Schertz won the CodeMash CTF this year, and he dropped off his answers to all 19 challenges.  Here they are:

 

Access Control

We got the password dump (400)

                This challenge provided a set of passwords. I recognized that they were hashes and used an online tool to look up the hash values and put them in the correct format. (cm20-XXXX-XXXX-XXXX in this case)

Binary Analysis

 Need more coffee!!! (100)

                The file had no extension, so I used an online file checker to identify it as a java.class file. From there, I renamed the file with the proper extension and ran it from the command line.

 Need even MOAR coffee!!!!! (300)

                This one was a bit more confusing. Renaming it (first to .class and then to cm.class) and running it produced a cryptic error about a missing class. Decompiling revealed some very obfuscated java code. Ultimately, someone suggested that I run the file, and look more closely at the errors. The error suggested that I needed to create another class that would be referenced by the original file. After creating a separate class, I was then informed by the errors that an interface was expected. Changed to an interface, and found that I needed to add an annotation, and then that the annotation needed to be a runtime annotation. Running it this way produced the flag. 

 One Time at Band Camp (300)

                This one provided an AmericanPie audio file. I googled ways to hide text in an audio file, and I came across a few articles about audio steganography that referenced using sonic visualizer and applying a spectrogram. I did that and found the flag around the 6 minute mark. It looked a little off, but I substituted cm20 for what looked like cy20, and it worked just fine.

I C What You Did There (400)

                I got some help on this one from an older and wiser friend of mine. I had tried several ways to look at the audio file, but he listened to the file and immediately recognized it as the sound of a Commodore 64 file. Once I knew it was a C64 file I downloaded a converter to go from WAV to TAP. I ran the tap file in an online C64 emulator.

Binary Deserialization

The button doesn't do what you want (300)

                I was super over thinking this one. I tried all kinds of JSON stuff to no avail. In the “thislooksinteresting” element, I decoded the value from Base64 and saw <GiveMeFlag> I tried lots of complicated things, but the ticket was changing the “n” to a “y”. I did it by looking up the base 64 value for “n” and replacing it with the base64 value for “y” in chrome dev tools. After that, it was as easy as pushing the button.

Encoding

All your base are belong to us! (100)

                The string was base64. Decoding produces the flag.

These soundex exactly the same! (100)

                I used the government soundex page to understand what soundex was. All three of the statements in the hint have the same soundex translation. Appending cm20 and putting dashes in the right locations produced the flag.

All your base are belong to us - level 2 (300)

                The string was base 64. Decoding it produced what appeared to be a PNG file. I copied it to a blank file and opened the image. There was the flag.

All your base are belong to us - level 3 (500)

                This one was base 64, but with a twist. A close look revealed the word “fish” at the end of the file. Removing that allowed for base 64 decoding, but the result was still base 64, and there was another instance of “fish” at the end. I wrote some C# to remove fish and decode from base 64 in a loop. Doing this 42 times produced the flag.

Encryption

Where's the bacon? (100)

                This one was a bacon cipher. I used a tool called dcode to reveal the flag.

What is missing? (200)

                I recognized another bacon cipher hiding in the bold and italics tags. I manually copied the tags in order to notepad, and fed the result to dcode to produce the flag.

Incident Response

Ghost In The Keys (400)

                I opened the file in wireshark, and saw the leftover transfer data. I looked at some articles about how to recognize keyboard data in wireshark, and how to setup custom columns. When I had gotten the data that I wanted, I dumped the results to excel and manipulated them converting the leftover data to keystrokes, noting that the 02’s are shifts, and the other data was keypresses. Ultimately this created a powershell execution with a reference to a web page in it. Accessing the web page produced the flag.

Mobile

Why did you do this to us, iOS? (200)

                I looked up how to open the file, and found that I could rename it and unzip it. After I unzipped it, I found a flag element in the plist file. It was a bunch of numbers, and I manually translated those numbers to other characters. This produced the flag.

On Site Challenges

You're gonna need a broom (1000)

The reference to the scytale was apt. I found a strip of paper attached to the wall in the game room, and a broom up against the wall. I wrapped the paper around the broom, and read off the numbers. I recognized the Hex code (no letters from late in the alphabet.) Plugging it into a hex converter, I found that the section I read off was only “cm20”. So I went back over, got the broom and read off the other sides of it and converted the hex to get the rest of the flag.

Social Engineering

Slack Challenge (100)

                Searching for cm20 in the capture the flag slack channel produced the flag.

THE BADGE CHALLENGE (300)

                I did this the hard way. . . I was not sure that I could get someone to loan me their badge to tinker with, so I went and got the source from bill’s github, and found a file that contained an array that would eventually become a bitmap. So I grabbed the array, manipulated it, loaded it to excel, and used conditional formatting to make a QR code in a spreadsheet. Scanning it with my phone produced the flag.

Web Security

Leprechaun Rally (200)

                This one was clever. I attempted to speed up the calling process to get more coins, but I got throttled. At that point I understood the hint. You need to BECOME the leprechaun with the most coins. So I set my efforts to obtaining a fraudulent session. I realized that clicking the “stay logged in” button, there was another cookie added to all the requests. It was URL encoded, and base64 encoded, but ultimately it was just “[Username]_ThisIsBadSalt”.  I created a new cookie value for the user Lucky_McPlucky, and edited my cookie in chrome dev tools. This allowed me to become the luckyiest leprechaun and retrieve the flag.

Philosopher's Stone (300)

                I spent a decent amount of time looking at the page source for this one before getting a tip that I needed to look closely at the image. I messed with the image in luna pic, and found a message in the bottom right corner of the image. Entering that led to another cryptic message. I thought it might be base 64, but discovered eventually that it was chess notation. After significant manipulation to the string, I entered it to lichess.org. This loaded the match, but I am no good at chess. It took running it as an AI to realize that white’s next move was a checkmate. I spent a while trying permutations of that move in chess notation in the solution bar. I found one that worked! But then I found another challenge was waiting for me. It looked like a flag, but it wasn’t. I looked at the page source and found a bunch of hidden whitespace characters in the middle of the flag string. Removing them didn’t work, so I thought maybe the whitespace was the flag? I pulled out the whitespace pattern and realized that it was morse code. The decoded morse was added to cm20{XXXXXX} to get the flag.

Application Security This Week for January 12

Post-CodeMash edition!

 

The Government of Gibraltar had a SQL Injection vulnerability in the site that hosts their laws.  That wouldn't end well.

https://www.theregister.co.uk/2020/01/07/gibraltar_sql_vuln_allowed_law_editing/

 

There is an actual practical attack against SHA-1 that has been POCd.  If you are still using SHA-1 for session tokens, might want to consider something else.

https://www.schneier.com/blog/archives/2020/01/new_sha-1_attac.html

 

Half of WASM code is used to write malware.  I'm not completely sure, but I think I called this one.

https://www.zdnet.com/google-amp/article/half-of-the-websites-using-webassembly-use-it-for-malicious-purposes/

 

Huge big ginormous remote code execution flaw in Citrix.  TrustedSec has a good writeup.

https://www.trustedsec.com/blog/critical-exposure-in-citrix-adc-netscaler-unauthenticated-remote-code-execution/

 

That's the news, folks.  Stay safe.

Application Security This Week for January 5

Pre-CodeMash Edition!

 

Adam Caudill is a personal friend of mine and has forgotten more about application security than I will learn. He manages a cool web scanner called YAWAST, which is awesome. There is news about future plans.

https://adamcaudill.com/2020/01/05/yawast-news-mission/

 

Good writeup on iOS application injection.

https://arjunbrar.com/post/ios-application-injection

 

OWASP Juice Shop has been added to the Open Reference Architecture for Security.

https://security-and-privacy-reference-architecture.readthedocs.io/en/latest/securitycourses.html#owasp-juice-shop

 

SANS Holiday Hack CTF is up.  I forgot about it earlier.

https://isc.sans.edu/diary/rss/25672

 

News from CodeMash next issue!

Application Security This Week for December 29

It's the holiday edition!  No I'm kidding it's the same stuff as usual.  Sorry.

 

Apparently there is a chat app that is literally spyware developed by a nation state.  This isn't a political blog, but the technical implications are deep. Here's a good writeup.

https://objective-see.com/blog/blog_0x52.html

 

I'm all about supply chain issues, and this is a really good analysis of risks involved with package managers like npm.

https://snyk.io/blog/why-npm-lockfiles-can-be-a-security-blindspot-for-injecting-malicious-modules/

 

Someone reverse engineered an RSA token, and is using it to bypass two factor in the wild.

https://www.schneier.com/blog/archives/2019/12/chinese_hackers_1.html

 

That's the news folks.  See you next decade.

Application Security This Week for December 22

Hope everyone has a good holiday.

 

You probably heard that the Russian offices of ngnix were raided by the government.  F5 is doing a code review.

https://www.msn.com/en-us/news/technology/f5-networks-secures-ngnix-software-builds-as-precaution-after-visit-from-russian-law-enforcement/ar-BBY357u?ocid=ARWLCHR

 

Solid research on privilege escalation in Amazon Web Services.  Very real problem.

https://know.bishopfox.com/research/privilege-escalation-in-aws

 

Do you want to bone up on real world appsec skills over the week?  I recommend the PortSwigger Web Academy.

https://portswigger.net/web-security

 

That's the news.

Bill Sempf

Husband. Father. Pentester. Secure software composer. Brewer. Lockpicker. Ninja. Insurrectionist. Lumberjack. All words that have been used to describe me recently. I help people write more secure software.

 

 

profile for Bill Sempf on Stack Exchange, a network of free, community-driven Q&A sites

MonthList