Archive for the ‘Ei kategoriaa’ Category


Security is important part of modern systems. But as the testers we usually think only about application security. Unfortunately reality is that easiest way to intrude to the system is to cheat people. This is story about me and Santa Claus.

This year I won’t be without Christmas presents! Actually I managed to find out, how to change the present allocation to 10% of Santa’s budget. It started with the e-mail I got. I investigated its headers and there was domain santa-claus-intelligence-agency.com. (I’ll call the agency as SCIA.) It got me really excited! So I started to dig around.

First thing I found was their beta-site. Its address was public-beta.santa-claus-intelligence-agency.com. There was still some debugging options on, so the web application revealed the structure of file system. The most interesting path was ../snippets/handlefiles.php. I started to investigate what that contained. It seemed that developers of SCIA had poor knowledge about version control. There was backup file handlefiles.php~. I read it and there was mention about browser accessible directory called ../uploads/. That directory was misconfigured and I got the directory listing. I decided to check every file from that. The most interesting file was birthdays.xls.

I opened the birthdays.xls. It was real treasure! It listed all SCIA elves, their birthdays, and e-mail addresses. I was much wiser about their internal structure after that. I tried to google more information about them but I found only couple blogs – one was about fishing, and another one about snow sports – and couple LinkedIn-accounts. The birthday of “fisher elf” was at 8th of June. I found that file at May.

When 8th of June approached, I bought domain fishing-stuff.com and set up the shopping site. Then at 7th of June I sent mail to the fisher elf. I wrote to it:

Congratulations! Your birthday is near, and we at Fishing-Stuff.com want give you the present. You’ll get -40% discount from all items which you order during this week.

Hook was there! At very same day it happened: Someone from secret-nat.santa-claus-intelligence-agency.com logged in. Now I had some additional information about their network.

First I decided to check names of the IPs they had. I found webmail and proxy. So I directed to my browser to the webmail first and I realised that their mail application was vulnerable to open redirect! It means that if I manage to get user to click specific link, he can end up to ANY website I want him to end up. I continued the investigating. I read carefully the LinkedIn profiles. From them I managed to find code names of their project.

The Lady of Chaos has given me the imagination. So I started to think how to get someone to click my malicious link and submit his e-mail credentials to me. First step was to create “login page” which looked exactly like the one they used at their web mail. Only difference was, that it stored the username and password to the file which I was able to read and then went back to their original e-mail application.

Mail was:

Hi, higher official elf Jack Elvish. Our new project XyzEdfg requires your input. Could you please check our site h‌ttps://webmail.santa-claus-intelligence-agency.com/index.php?redirect=http://10.128.34.53/index.php.

I used e-mail address of Jone Lesselvish which was Jone.Lesselvish@santa-claus-intelligence-agency.com. His LinkedIn profile mentioned XyzEdfg. So I thought that it would be safe to use. E-mail protocol is insecure protocol, where you can use any name you want to. It does not ask passwords. It just trusts what it gets.

I had to wait only few hours to get username and password of Jack Elvish. Next step was easy: I just logged into his email, read what kind of systems they had. The most interesting was the “accounting” system. It was part of internal network. To intrude to there I had to find some way to access to their internal networks. Next step was to find error at firewalls or another insecure application. I decided to take the risk and investigate computer named proxy. Port 8090 had open HTTP-proxy. It was also able to access to the internal network.

At this point I decided that it is too risky to attack to it right away. I waited until end of September. If they had noticed me before, they couldn’t connect my new attempts to my older attacks. At the end of September I finally logged in to e-mails of Jack Elvish. The password was still working! Then I tried to log in to the accounting system. It asked e-mail address, so I used Jack’s address and tried the same password as at e-mail. Oh well. It didn’t work. I used “I forgot the password”-functionality. Just password, and answer for question “What’s the month of your birthday?” And Jack had new password which I also knew right away.

I had full access the accounting system. There was all kind of secrets! SCIA had done wonderful job at tracking people. Even NSA couldn’t do the same. Now I know all YOUR secrets! I was able to tune everything. After my modifications I had cured cancer and AIDS and managed to get the peace between Palestine and Israel. At the end my present allocation was 10%!

Insecurity is not just the application security. It is more or less human aspect. Misconfigured servers, small security issues, fooling the people with different techniques and insecure protocols – they all managed to make this task so simple. No matter what kind of testing and where we are working, we should always ask:”Can someone misuse this? Can he break the confidentiality, integrity or accessibility of the system?” If answer is “Yes” at any part, then there is the problem and risks should be estimated. If the service has public interface, overestimate the risks rather than underestimate.

This was originally written to Qentinel‘s internal newsletter.

Advertisements

This blog entry starts my test data related blog series. I will submit new one every now and then. If you have questions or comments, please, let me know. I like to learn and I like to give new ideas. So disagree freely with me.

Over the series I’m using single example application: Discussion forum software (Like e.g. SMF, phpBB). Key features are registration, logging in and out, different kind of user rights, posting public and private messages, reading them and searching.

One key feature of manual testing is human aspect. Human submits the data, human checks the results. All test data should consider that. We have limited possibility to notice small differences.

Normal bias which I’ve seen at manual testing is using repetitive patterns. If the date format is ddmmyy, even tester quite often uses date like 010101 or 111111. They are simple and quick to type and always valid. But as the test data they miss many possible error cases. What if age calculation swaps day and month? The data like that won’t notice it. Much better is something which makes missing the mistakes impossible. It could be for example 230142. Same number is not repeated at all, so if something fails, it is immediately noticed.

The forum also requires text data. If testing the messages, the test needs plenty of text. Usually the testers and developers are using lorem ipsum as test data. But that practice should be avoided. There are multiple failure points. You can’t read the text, so you most likely won’t notice if characters are swapped to some other. Warping of the lines should also be done correctly which is difficult to see from lorem ipsum. Also all other content related errors are masked behind nonsense. If I need plenty of text, I usually take it from Project Gutenberg.

Many organizations are still doing scripted manual testing. There you have to decide if the test data is part of test case or not. When it is not, it gives tester possibility to use different kind of inputs, but part of them might be weak and reproducing the situation suffers. If it is, then same data is used over and over again, and at the end we can say that it works at least with given data, but not sure about other data.

In my opinion you should consider what important inputs are, and specify those. If there is possibility to say “this kind of data” instead of “exactly this data”, use rather “this kind”. It still gives larger variation for inputs than exact input, but is still able to test what is wanted. “Not so important configuration data” should be specified so that it is easy to take to use. I’ve been at project where configuration of the test environment took almost whole day. In that case all configurations should be specified so that I could found them right away and in best case also be able to take them to use right away.

Thanks @HelenaJ_M about question about reusing of data versus creating all the time from scratch.


When I see the number input, I have several patterns which I like to test. Here are few of them:

  • 08, 0100 – reason behind this is, that text to integer might interpret that to octal number. In that case 08 is illegal value, which can result strange things.
  • 8-1 – reason behind that is, that sometimes SQL query calculates that
  • 0xa – in that case the text to integer might translate the number to hex number.
  • 1e3 and 1e-3 – those might be interpreted 1*10^3 and 1*10^-3 (=1000 and 0.001)
  • 2147483646, 2147483647, 2147483648 – these are maximum ints in many cases
  • -2147483647, -2147483648, -2147483649 – these are minimum ints in many cases
  • 4294967294, 4294967295, 4294967296 – this is maximum on unsigned integer
  • Some huge number which is far beyond previous numbers

And let’s go a bit more detailed and real life situations to some of these.

At one C++ project the logic were following:

input number X
if (x+2 < fixed number)
loop from 0 to x

So if we input anything below 2147483646 we get correct functionality. But if we insert 2147483646, the result is suddenly -2147483648 and we enter to the loop. This is far from the expected result and in worst case it even opens the security issue. That system didn’t crash. It just stalled for 15 minutes which blocked some batch processing.

Then another issue is 8-1. I usually test that at web applications where I expect the number to be index. If the result is same with numbers 7 and 8-1, there is most likely SQL injection security issue. At the code is query: SELECT * FROM table WHERE id=$intput$. If it calculates 8-1, then it can also parse any other query. That can be e.g. 8+or+1=1 which might cause some really exciting result. Or it can be even such query, which dumps out the user database.

08 is interesting. I’ve seen it only at build number and as compile time error. But give it a shot. You never know what kind of number parser is at the engine room. It can lead to strange errors, or some other fancy effect which the user might dislike. And in that case try also 0100, because if it is parsed to octal, the result is 64. And it is clearly wrong. 0xa is same kind of thing. If the parser parses it to 10, then you will be in trouble if users don’t know that 0x is prefix for hex number. 0x100 is not same as 100, it is 256.

1e3 is exciting thing. I’ve met that kind of input parsed wrongly once. The system were going thru the document and catching all URLs. For some reason if URL contained that kind of string, it was parsed to number and to normal format. E.g. that would have been 1000.

Of course I try also normal border cases, classes, some random text etc. But these are the cases outside them. Do you have some specific patters which you try? And why are you trying them? Leave me the comment.

Google is your friend

Posted: 28.7.2011 in Ei kategoriaa
Tags: ,

Every now and then (actually more than just every now and then) I find the word which I don’t have any idea. That can be e.g. “threat modeling”, “virtual user”, “xpath” and so on. I have to find quickly, what is behind that and should I really know it. I have multiple options how to proceed.

  • Ask from the forum like this
  • Ask at IRC
  • Ask at Twitter
  • Ask at Google+
  • Do the search at Google

 

If I’m using first four bullets, I have several assumptions. First is that someone else knows about subject. Secondly I’m expecting that “somebody” to be online and he have some free time. While waiting those conditions to become true I’m still clueless about the topic. And usually I have to get at least basic information about it quickly. I don’t want to waste my time and my client’s money for waiting. And even if I got answer, I never can be sure if that is correct answer. The one who answers might be as clueless as I am, but he doesn’t realize that. So situation is lose-lose situation. I might get wrong information. Or it’s possible that I won’t get any information at all. Not even wrong one. My work is blocked until I get the information. And someone else must waste his time to explain me the basics.

I’ve found that Google is much better option. If I write keywords to search field, add additional word “Tutorial”, I usually get some basic information about the subject I need. I also might get good references for further reading. This Monday I really had to find quickly information about threat modeling. First there was Wikipedia article, then article at OWASP-site. Those gave me good overview to subject. But it wasn’t enough. Third link was to Microsoft site and there they advertised book about threat modeling. Great! That’s what I needed. There was direct link to O’Reilly site, and possibility to buy eBook. I bought eBook, downloaded it, uploaded to my eBook reader, and now I’ve read more detailed information about threat modeling. I didn’t have to wait for days (or not even hours). I got quick overview and after that knew I had to know more.

Summary: Google doesn’t force you to wait. Usually you find at least the basics of subject you’re looking for. If after that you have questions (e.g. how to implement threat modeling to your environment), then forum is good place to open discussion about that. It won’t give you the step-by-step instructions, but it can give you some ideas how others has used same tool at their project.


Yesterday something went wrong – Below is screenshot pointing out the problem. Read the rest of article to find out more details.

The screenshots had very common mistake – redirection. It’s very good tool for phishing attacks. If attacker has any possibilities to send e-mail to registered user, he is able to attack against the user. For example how many would have noticed the redirection bug if he got the e-mail message:

From: root@trusted-mail.net

Subject: E-mail validation

Please, validate that your e-mail address is still valid by logging in to the Trusted Mail. We are not requesting any passwords by e-mail and as you can see from link below, it is pointing to Trusted-mail.net. Make always sure that address bar has correct address.

So please, log in with this validation link:

https://trusted-mail.net/horde/imp/login.php?url=%68%74%74%70%73%3A%2F%2F%65%76%69%6C%68%61%78%6F%72%2E%63%6F%6D%2F%68%61%78%2F%74%72%75%73%74%65%64%2D%6D%61%69%6C%2F

Sincerely,

Mail admin of Trusted-Mail.com

That mail looks valid – doesn’t it? When redirection goes wrong, the attack against the service users is simple. It just takes few minutes to copy the original login page, change the form processing so that submitted data is stored to local file or database, and then redirect back to original site. It’s very difficult to notice, that the target site is actually new site and not the original one. At least I’m mistyping my passwords every now and then, and when the system says that password is wrong, I try to write it a bit more careful but without checking where my browser actually is.

So the failures are actually at many level. Bad web application is not validating its input correctly. I have written about that before at post “Phun with redirects“. But second is more fundamental failure. It’s at e-mail protocol. The From field is not validated. Attacker can give any From address and receiver wouldn’t notice that.

The original SMTP protocol was defined at RFC 821 year 1982. Back then there wasn’t need for security. And now it would be just too expensive to add new security layer, because everything has been implemented to use old and insecure protocol. Maybe at next bug report I should state:”The root cause for bug is Internet and its protocols.”

Oops – What’s wrong?

Posted: 20.7.2011 in Ei kategoriaa
Tags:

Can you notice from screenshots below what went wrong? I’ve seen same kind of errors MANY times.

 


Centralized cloud and other web services is major risk for private users, but also for business users. There are plenty of problems. I have experience with Google AdSense. I used to have it at one site for a short time. But it was terminated because I have “violated the contract”. That’s great. I requested information how I had done that and how to fix the problem. I didn’t have any intentional violations. I read thru the contract multiple times. Did they help me or tell the reason? No. I just got same automated (or premade) message, which told that I had violated some rules and it’s secret what I had done wrong.

Things could have been worse. Now I’m banned from AdSense forever, so I cannot get any income from Google ads. I cannot use AdSense in any of my services so good bye most ad income. How could it have been worse? They could have banned me from all of their services. That would be catastrophic for my private life. I have Google+ account, I have Gmail, I’m using iGoogle, I use all kind of fancy services they have. If I violate the term of services at Google+, I might lose all of those as reported at Business Insider. This limits my freedom of speech. This is putting razor blade on my throat. I have to be careful what I do or I might lose major part of my private and professional life.

Centralized services are good from usability point of view. But they are risk for many other parts. Everything gets worse as soon as someone owns majority of services. Microsoft couldn’t play as dirty game with Windows and other software as Google can play with the services they provide. Google can block me from many services with one click and they don’t have to justify their actions. They could just say “violated the term of services”. I don’t have money go to battle against them at court.

I have to be nice when at Google+. I’ll try to avoid being evil tester there. I just want to keep all my services and accounts up and running. Spirit is strong, but flesh is weak, but now I have to kill my flesh.