links for 2008-08-22

• Basic Drupal SEO Tutorial: On-site Optimization | Webmaster Tips
  (tags: drupal seo)

Category: Links | Tags: No Tags | Be the First to Comment »

Morphing Web Applications

Over the last week I have been thinking about applications that could morph themselves based on some criteria.  Mostly, I have been thinking about this in respect to web applications which could change their layout automatically based on the user’s interaction with certain parts of the application or lack thereof.

Additionally, this week I have been doing a lot of research on web application security. Tonight the two topics merged.

What if an application could change itself in order to protect itself?  For instance, what if an application which accepts user input, submits the input via GET, and then displays the information could protect itself from being used in XSS phishing attacks even if it is vulnerable to XSS attacks?

Enter dynamic variables.  The code below is a quick POC I put together to decide if this would work. The outcome: Yes, it could work. The code below is vulnerable to XSS attacks, but the attacks would only be valid for 2 seconds because the variable changes and essentially expires.

I fully admit that if someone was going to go through this much trouble, they should just fix the bad code. I wanted to try this just as a POC and for purely research reasons.  There may be some value of implementing a more advanced version of this in a WAF, but again may not be worth it since there are other ways to address it.

Anyway, on to the code:

<?php

$var = date(dWYHis);

print “<html><form action=\”test.php\” method=\”GET\”> <input type=\”text\” name=\”$var\”> <input type=\”submit\” value=\”submit\”></form><br></html>”;

$datechk = date(dWYHis);

foreach ($_GET as $key => $value){
if ($key <= $datechk AND $datechk > $date-2){
echo “$value”;
}
}

?>

The first part reads in the the current date and time and sets this string as the name of a field in a html form.

Next once the form is submitted, the current date and time string is read into $datechk. The variables submitted are extracted and the variable names are compared to the current $datechk value to ensure the variable is not more than 2 seconds old. If the variable is equal to the current datetime string or is no more than 2 seconds old, then the variable is acceptable and the code moves on.

Obviously, the date-time string should not be relied upon alone.  It could be used if it is salted in some manner but the key is to have a repeatable process on both ends to ensure the data variable can be recreated and validated.

Sorry about the code formatting, the blog doesn’t do a great job of formatting code.

Category: Application Security, Information Security | Tags: No Tags | Be the First to Comment »

How To Assess Offshore Data Security

Hot off the presses by yours truly.

Category: Random | Tags: No Tags | Be the First to Comment »

Ouchie - PCI sticks it to the vendors

The great folks over at the PCI council have finally done something I agree with.  They have provided a clear and concise explanation of PCI 6.6.  Typically, their direction is unclear and left to the masses to decipher.

In the new PCI 6.6 supplement, the council has given more direction on how to meet the dreaded 6.6 (should be 6.6.6) before the June 30th deadline.  Originally, many thought 6.6 would require full code reviews or a web application firewall.  Then, based on comments from Bob Russo, it looked like a mix of reviews and scanning was in order.

Alas, we were all delighted to find out that the options for 6.6 are simple.

Option 1:

•  Code Review which is subdivided into 4 options:

• Manual code review of application source code
• Proper use of automated source code analyzer (scanning) tools
• Manual web application security vulnerability assessments
• Proper use of automated web application security vulnerability assessment (scanning)
  tools.

• WebApplication Firewall (WAF)

Now with that cleared, here is what I see.  All of the source code assessment tool companies and web application firewall companies are in a panic.  6.6 was their pay day, but now it appears we have an eaiser way to achieve this by running a web application scanner such as Webinspect.

While there is defiantly benefit in source code reviews and WAFs have their place, though disputed by many, performing a review with a scanner is much more cost effective.  At the end of the day, we are in business to make money and must make compromises between security and business. I think we have found that compromise for 6.6.

Category: Application Security, Information Security, PCI, Risk Management | Tags: No Tags | Be the First to Comment »

OMG Hackers Invade Seattle!

This weekend is toorcon Seattle. If you know, then you should be there. I, unfortunately, will not be going due to prior engagements (fancy for “I have plans”).

On a semi-related note, Microsoft’s BlueHat is the first week of May.  This means Limo races and other good fun.  Again, I did not plan properly and will have to skip the limo races but I will be around for the weekend fun.

Category: Information Security, Seattle | Tags: No Tags | Be the First to Comment »

links for 2008-03-31

• Budgeting | MBA Street
  (tags: budgeting savings mbastreet)
• Roth vs. Traditional IRA | MBA Street
  (tags: roth ira savings mbastreet)
• MBA Street | Where B-School and the real world intersect
  (tags: blog savings income invest mbastreet money)

Category: Links | Tags: No Tags | Be the First to Comment »

Google Code University - Web Security

This URL was sent over to me by a co-worker. Looks like Google is hosting a few presentations and video related to Web Security. Worth a review.

http://code.google.com/edu/security/index.html http://code.google.com/edu/security/index.html

Category: Application Security, Information Security, PCI | Tags: No Tags | Be the First to Comment »

Silly programmers, hackers always win. +1 for corporate hackers.

Today I was investigating how a 3rd party site was streaming content from another site. The silly people tried to hide their JavaScript and HTML magic by “encrypting” the source using Encrypt HTML Pro - they also put a fake error in the source to deter me (Error 505: Source Code Unavailable).

With some JavaScript of my own, their code was reversed to human readable in no time. I figured how they were getting the stream and now that is being stopped.

The run down:

Encrypt HTML Pro basically creates two parts inside your document. First, a JavaScript block that is a hex encoded. This holds the function which performs the “decryption” so your browser can read the rest of the page.

Next, you have blocks (as many as you define when encrypting the code) of JavaScript code that is not readable. What tipped me off when looking at the obfuscated document was the fact that each block was JavaScript and calling the same function.

When I decoded the first block, I found the function the subsequent blocks were calling. I realized that the subsequent blocks were just pushing the obfuscated code through this function which then returned something the browser can read.

So I did the same thing. I had the function to decode everything so I just ran the subsequent blocks through the function and printed them to a local file.

I then found a few blocks of code that the author (or software) tried to use to hide more details. The author used the JavaScript function “String.fromCharCode” to encode strings they wanted to further hide. Using the JavaScript function “eval” and again printing to a text file, I got what I needed from those.

At the end, I figured out how they were getting the stream and I even thought of a better way to grab the stream and fully hide how it was being done. Oh well, luckily I work for the media company.

Silly programmers, hackers always win. +1 for corporate hackers.

P.S. Maybe now Billy Hoffman will give me some respect

Category: Application Security, Information Security | Tags: , infosec, information+security/a> | Be the First to Comment »

Just for my readers - Confnow.com

Since you are a loyal reader, you get the scoop first. Confnow is soft launching this weekend. Basically, this means it is up and running but we are not telling anyone. EXCEPT YOU!

What is Confnow you ask? Simple. Confnow lets you attend a conference call without dialing the phone or the conference pin code. Yes, we think it is a great idea also.

How to use Confnow:

Sign up

Forward meeting invite via email

Answer your phone when it is time for the call. We call you, connect you to the conference call, and enter the conference pin information.

No more missing conference calls, forgetting the pin, or trying to dial while driving. Go there, sign up, test it, let us know what you think.

P.S. - Some lucky people will receive Amazon gift certificates for submitting testimonials we can use. So, make sure you send us your thoughts.

Adam

Category: Seattle, VC, startup | Tags: No Tags | Be the First to Comment »

WE ARE HIRING!!!!

Come work in the magical world of Walt Disney - Security Engineer.

Category: Random | Tags: No Tags | Be the First to Comment »