Archive for the ‘Security’ Category


Security is important part of modern systems. But as the testers we usually think only about application security. Unfortunately reality is that easiest way to intrude to the system is to cheat people. This is story about me and Santa Claus.

This year I won’t be without Christmas presents! Actually I managed to find out, how to change the present allocation to 10% of Santa’s budget. It started with the e-mail I got. I investigated its headers and there was domain santa-claus-intelligence-agency.com. (I’ll call the agency as SCIA.) It got me really excited! So I started to dig around.

First thing I found was their beta-site. Its address was public-beta.santa-claus-intelligence-agency.com. There was still some debugging options on, so the web application revealed the structure of file system. The most interesting path was ../snippets/handlefiles.php. I started to investigate what that contained. It seemed that developers of SCIA had poor knowledge about version control. There was backup file handlefiles.php~. I read it and there was mention about browser accessible directory called ../uploads/. That directory was misconfigured and I got the directory listing. I decided to check every file from that. The most interesting file was birthdays.xls.

I opened the birthdays.xls. It was real treasure! It listed all SCIA elves, their birthdays, and e-mail addresses. I was much wiser about their internal structure after that. I tried to google more information about them but I found only couple blogs – one was about fishing, and another one about snow sports – and couple LinkedIn-accounts. The birthday of “fisher elf” was at 8th of June. I found that file at May.

When 8th of June approached, I bought domain fishing-stuff.com and set up the shopping site. Then at 7th of June I sent mail to the fisher elf. I wrote to it:

Congratulations! Your birthday is near, and we at Fishing-Stuff.com want give you the present. You’ll get -40% discount from all items which you order during this week.

Hook was there! At very same day it happened: Someone from secret-nat.santa-claus-intelligence-agency.com logged in. Now I had some additional information about their network.

First I decided to check names of the IPs they had. I found webmail and proxy. So I directed to my browser to the webmail first and I realised that their mail application was vulnerable to open redirect! It means that if I manage to get user to click specific link, he can end up to ANY website I want him to end up. I continued the investigating. I read carefully the LinkedIn profiles. From them I managed to find code names of their project.

The Lady of Chaos has given me the imagination. So I started to think how to get someone to click my malicious link and submit his e-mail credentials to me. First step was to create “login page” which looked exactly like the one they used at their web mail. Only difference was, that it stored the username and password to the file which I was able to read and then went back to their original e-mail application.

Mail was:

Hi, higher official elf Jack Elvish. Our new project XyzEdfg requires your input. Could you please check our site h‌ttps://webmail.santa-claus-intelligence-agency.com/index.php?redirect=http://10.128.34.53/index.php.

I used e-mail address of Jone Lesselvish which was Jone.Lesselvish@santa-claus-intelligence-agency.com. His LinkedIn profile mentioned XyzEdfg. So I thought that it would be safe to use. E-mail protocol is insecure protocol, where you can use any name you want to. It does not ask passwords. It just trusts what it gets.

I had to wait only few hours to get username and password of Jack Elvish. Next step was easy: I just logged into his email, read what kind of systems they had. The most interesting was the “accounting” system. It was part of internal network. To intrude to there I had to find some way to access to their internal networks. Next step was to find error at firewalls or another insecure application. I decided to take the risk and investigate computer named proxy. Port 8090 had open HTTP-proxy. It was also able to access to the internal network.

At this point I decided that it is too risky to attack to it right away. I waited until end of September. If they had noticed me before, they couldn’t connect my new attempts to my older attacks. At the end of September I finally logged in to e-mails of Jack Elvish. The password was still working! Then I tried to log in to the accounting system. It asked e-mail address, so I used Jack’s address and tried the same password as at e-mail. Oh well. It didn’t work. I used “I forgot the password”-functionality. Just password, and answer for question “What’s the month of your birthday?” And Jack had new password which I also knew right away.

I had full access the accounting system. There was all kind of secrets! SCIA had done wonderful job at tracking people. Even NSA couldn’t do the same. Now I know all YOUR secrets! I was able to tune everything. After my modifications I had cured cancer and AIDS and managed to get the peace between Palestine and Israel. At the end my present allocation was 10%!

Insecurity is not just the application security. It is more or less human aspect. Misconfigured servers, small security issues, fooling the people with different techniques and insecure protocols – they all managed to make this task so simple. No matter what kind of testing and where we are working, we should always ask:”Can someone misuse this? Can he break the confidentiality, integrity or accessibility of the system?” If answer is “Yes” at any part, then there is the problem and risks should be estimated. If the service has public interface, overestimate the risks rather than underestimate.

This was originally written to Qentinel‘s internal newsletter.

Phun with redirects

Posted: 31.10.2010 in Security
Tags: , ,

I love redirection at web applications. They are so often broken. I’m trying to list here several mistakes which I’ve seen most often. Redirections are often used in places like login. That tries to make system friendlier for users by returning user to same page where he clicked the “Login”-link. So let’s imagine there is page ‘brokensite.xyz’ which has that kind of redirection. When user clicks “Login”, he is directed to page http://brokensite.xyz/login.jsp?returl=returnpage.jsp.

First: Lack of url validation. The attacker is able to set any url to returl-parameter. I usually try to replace valid destination with http://google.com/ and if I end up to that page after I’ve logged in, system is vulnerable. This should be one of the basic checks with web applications. In this case it would be: http://brokensite.xyz/login.jsp?returl=http://google.com/.

Second: Middle of URL %0A and especially with jsp. That is new line, and when redirection is made with http-result code 30x (302, 301 or some other). Then the target destination is given with Location-header. If the web application is not url encoding the destination properly, attacker can add new headers with %0A. And web browsers (at least Firefox) are redirecting to the last Location-destination. So in this case the attack URL would be: http://brokensite.xyz/login.jsp?returl=correctone.jspLocation:+http://google.com/

Third: Incorrectly escaped ” or ‘ when redirection is done with META-tag or JavaScript. Those cases are more like XSS or html injection errors. But still they can be very effective. Usually the mistake happens with META-tag. Developers tend to forget that proper quote escaping is not with backslash at tag-parameters. Let’s expect that quote is now escaped wrong with backslash so ” at parameters are converted to \”. Only characters ‘ and ” are escaped.

To produce result below our url must be: http://brokensite.xyz/login.jsp?returl=correctone.jsp?”<script>alert(1);</script>.

<META
HTTP-EQUIV="Refresh"
CONTENT="0; URL=correctone.jsp?\"><script>alert(1);</script>

Fourth: JavaScript-redirection is not properly escaping character combination – -> or ]]> – depending what kind of hiding is used at JavaScript. Those are usually ending the JavaScript hiding and also escaping from quotes. So JavaScript below is totally legal. It is created with url http://brokensite.xyz/login.jsp?returl=correctone.jsp+- -></script><script>alert(1);</script> (remove the space between dashes. WP seems to combine multipe dashes to longer dash.)

<script><!--
window.location="corretone.jsp --></script><script>alert(1);</script>");

//-->
</script>

If you are developer and plan to make redirection, please, use response codes instead of JavaScript and META-tag. The JavaScript is most vulnerable type of redirection. And META-tag can be turned off too easily. Always URL-encode everything you receive. Never trust to anything which is coming from the browser. Testers – like me – can be evil, but criminals can be even more evil.

Why redirection errors are bad? Well – thanks for the insecure SMTP-protocol, phisher can send to victims the mail with from-address admin@brokensite.xyz. Mail says that account has been suspended and requests the user to login to http://brokensite.xyz/login.jsp?returl=attackers_own_url. And that can insert malware, steal password by telling that user gave wrong password and requests to resubmit the password and so on. Attack possibilities are nearly unlimited.