cat slave diary

Blog

  • PHP 5.2 to get HttpOnly!

    Ilia has just blogged that HttpOnly is now supported in PHP 5.2.

    This prevents the usual sort of basic XSS attacks, like:

    Supported browsers:

    • IE 6.0 SP1 and later – prevents reading, but not over-writing (still allows preset CSRF attacks)
    • IE 7.0 – prevents reading and writing – safest
    • Safari 1.3 – not support (update)
    • Opera 8 and later – not supported (update)
    • Mozilla – not supported
    • Firefox – not supported
    • IE 5.x for Mac – will actually fail to render the page. Use browser detection to encourage them to migrate to Safari or Firefox once it supports HttpOnly

    There is a potential solution for Firefox’s and Mozilla’s lack of support.

    Now all we need is for Firefox, Mozilla, Safari (=WebKit), and Opera to climb aboard!

    Update: Chris and I spent some time working out if HttpOnly works on a range of browsers. Sadly, some browsers I thought had support… don’t. Oh well.

  • James Van Allen dies at 91


    IOWA CITY, Iowa (AP) — Physicist James A. Van Allen, a leader in space exploration who discovered the radiation belts surrounding the Earth that now bear his name, died Wednesday. He was 91.

    A sad day for astronomy and space geeks. More here

  • Defcon is dead, long live Defcon

    Well, that was Day 3 of Defcon out of the road. I didn’t get to see too many actual talks due to the hallway track being far more interesting than the actual three track program. Again, few webappsec talks, and some were repeats of the BH talks I’d already seen.

    I caught up with a few fine folks, including Jeremiah Grossman, TC, RSnake, Arian Evans (possibly the funniest infosec guy I’ve ever met!), Dinis and more! It was a total hoot, and we did a lot of good work^Wdrinking.

    The more esoteric talks were right up there. I wanted to go to Peter Gutmann’s talk on phishing, but unfortunately it was far too early after the night before. Luckily, I have the slides in PDF form, and soon we will have the DVD at work, so that’s no biggie.

    The biggest change is the venue. The new location at the Riveria is excellent – it’s still old and crusty which is a la Defcon at Alexis Park, but it has *air conditioning* and it can handle zillions of geeks in the manner which they are accustomed – ie without bathing.

    However, the smoking problem is worse than ever. I made my most valiant of efforts to kill them all using my onion ring with crab cake special edition flatus, but unfortunately, it backfired late at night thus causing me more grief than any of the smokers. When will conference organizers equate smokers == law suits for obvious and gross negligence when the dangers of said disgusting habit are well known?

    In other news, Tanya picked up a huge stogy for her old man.

  • BlackHat Day 2

    Day 2 had a complete web app sec track. This is a huge change from last year, where there was like … my talk and that was about it. And you know what? It was full! Every session I’ve attended so far today has been near full. Plus, it’s top material.

    Let’s get on with the details.

    Hacking Intranet Websites from the Outside “JavaScript malware just got a lot more dangerous”

    Jeremiah Grossman & TC Niedzialkowski

    The Register missed the boat – they went to the wrong talk. They should have gone to this talk instead.

    Jeremiah and TC showed a bunch of demos which totally 0wned the browser of the victim. This talk was downright scary. They did a basic CSRF attack against a DSL router (incidentally, the model I have at home – luckily I *have* changed the default password), and demo’d the ability to make the victim’s browser the attacker’s complete biatch.

    Essentially, you can do two things:

    a) don’t go to any sites
    b) turn off the Internet

    They didn’t even use the Ajax stuff which is now possible, such as using cross-domain XHR and Flash based arbitrary header re-writes and forgery, which when taken together essentially mean that an attacker has an extremely wide array of vulnerable sites, such as MySpace and others, to send hostile code to your computer to do with as they please. I am certain this is how the malicious mofos behind commercial / organized crime spamming and bot nets will try to infect millions of boxes over the next few years.

    Ajax talks

    These two talks were interesting, but didn’t extend the state of the art much beyond where I was back in February. All of the next three talks had overlapping content, which got a bit monotonous by the end.

    “AJAX (in)security”
    Billy Hoffman

    Billy talked about four areas of Ajax security, but my favorite was how he extended the method of using mash ups to be evil via the mash up proxy and hide where you’re from. That’s cool. Billy did go a little bit further with an idea to use Ajax to create a proper worm, but used the ol’ MySpace worm and the Yahoo mail worm to show previous examples.

    Billy’s talk was energetic and he talked at a thousand miles an hour. He could have done with some demos. I had a chat with him before the talk, and I think there’s some potential there to collaborate on future stuff.

    “Breaking AJAX Web Applications: Vulns 2.0 in Web 2.0”
    Alex Stamos & Zane Lackey

    With Ajax stuff, it is necessary to bootstrap the audience … this year. The guys went through the basics of Ajax … again … and then went on to talk about the problems as they saw them. Again, not much new here, but at least there was a look at different frameworks, particularly Java based frameworks. I’ve mostly looked at PHP frameworks, so this was pretty interesting.

    The guys ran out of time, and so didn’t talk long enough about the methods to prevent attacks. It’s not hard for the main part, but too little detail doesn’t help the BlackHat audience (who are mainly security geeks at larger corporations) who want to know the problem … and the solution. At DefCon, you don’t have to worry about the solution as they’re just interested in the problem.

    “Six Degrees of XSSploitation”
    Dan Moniz & HD Moore

    This talk was interesting as HD Moore and Dan Moniz are relatively (in-) famous. However, it was a fairly lightweight presentation, again introducing XSS and Ajax and the MySpace worm. There was some good material in here, potentially looking at things you can do once you’ve found yourself a nice juicy XSS.

    I would have liked to hear more about the ActiveX null pointer execution thing that is apparently coming out next week, but obviously that one is under NDA. HD took a back seat to Dan most of the time, but that’s okay – they imparted a lot of information in not much time.

    “Analysis of Web Application Worms and Viruses”
    Billy Hoffman

    Placeholder

  • Blackhat Day 1

    “TBA” – David Litchfield

    David did a talk on the problems with Informix. Awesome talk, and shows that all database servers are vulnerable. He totally 0wned his server in a set of well rehearsed demos.

    I don’t use Informix so it wasn’t that useful to me, but a take home message is total props to IBM for solving these problems. Oracle can learn a few things from IBM on how to listen to professional security researchers, and fix stuff in a reasonable time frame.

    “How to Unwrap Oracle PL/SQL”
    Pete Finnigan

    Pete went through the basics of figuring out how to unwrap (decode) PL/SQL. I’ve just finished doing a major PL/SQL code review, and I was hoping it was about how to do good code reviews of this language. It turns out that some folks encode their PL/SQL (which is essentially Ada with some extensions) to obfuscate the source. We don’t do that, so I found this stuff pretty dull. However, I’ll keep it filed away in case we get some third party code which has been “wrapped”.

    Wrapping is an encoded form of DIANA. Pete showed how to decode this representation from the raw bytes stashed by Oracle. He also had some unkind words for the tools which supposedly decode this stuff today.

    Lastly, 10g went backwards. They don’t use this method, instead favoring just base64 encoding. That’s cool, as it makes it easier to decode stuff in 10g.

    Oracle Rootkits 2.0: The Next Generation
    Alexander Kornbrust

    Awesome talk. More when I have time to get my thoughts together. Take home point: take the time to secure your database servers, and isolate them.

    Hallway track

    So awesome to be here and meet the folks who do the research. I met a bunch of really smart folks and did a bit of an interview. If it comes out, I will update this entry.

  • The land of ouchy hamburgers

    I’m working on tomorrow’s presentation to a major ISV. I don’t really have time to pop out and eat properly, so I order in. Most of the time, I don’t like doing this as the food often comes a bit cooler than I would like, the salads a bit limp and it’s always overpriced.

    I look in the room service book, order up a burger and fries with some Pepsi, and as I’d skipped lunch, a cheesecake and some coffee to wash things down. I mentally add up the individual elements and I think it’s going to be about $30, which is well under my work’s spending guidelines if a bit expensive for my tastes. A similar meal down the road at Maccas followed by a trip to the Italian cafe would cost me no more than $15 if I knew where the Maccas was.

    I was a bit shocked to see the price in my room: $57 USD (about $80 Australian!). For a burger, drinks and a small dessert.

    They had slugged me for tax, 20% service (even though it was delayed AND the meat patty had congealed), some other taxes on top of the mandatory gratuity, and expect me to put an additional gratuity on top of that. So I round up to the nearest dollar, a “tip” of $0.13.

    Man, this place sucks. Can’t wait to get to Vegas.

    Andrew

  • OSCON

    Work: I owe my boss a huge beer (and a document) and an apology when I get back to Australia.

    Personal life: in the dog house. I got very little sleep these last few days, and I bet my other half is feeling far worse than me. Hopefully, she can come to Vegas so we can sort things out.

    OSCON: Awesome.

    My presentations went down well. I’ll upload the new presentations soon, but the Ajax Security demo went off really well. The room was overflowing with folks, so I’m really chuffed that so many of you decided to come.

    I’ll put up the Ajax XSS demo I did later, but please be aware that these demos are INSECURE by design, and only to test them on your internal systems. The trick is to:

    <img src="kitty.jpg" onLoad="... your javascript attack here ...">

    People forget there’s literally hundreds and possibly millions of ways to do XSS. Do NOT look for script or Javascript and think you’re done. That’s stupid. Make the output safe, it’s faster, it’s simpler, and it works.

    People

    I met so many folks who I had spoken to over the net, or e-mailed. Everyone is so nice and friendly, it’s incredible to meet the greats. I really enjoyed catching up with Chris and Laura, met the Schlossnagles for the first time (cool dudes, cute kids :), and of course, Wez.

    Unfortunately, due to the bad things going on in my personal life, I could not bring myself to hang out after hours as I was feeling extremely down, but life goes on. I was hoping to go out to Portland a bit more; maybe next time.

    Talks

    I went to a fair few webappsec related talks, and it’s truly gratifying to me that the developers had an entire stream dedicated to it. I really enjoyed the PHP Security hoe down – we had a wack job in the back row causing a bit of a stir, but after he left, the hour really flew.

    Portland

    I’ve never been here before. It’s a very nice city, great public transport. I’ll post some images soon as it’s very pretty this time of the year. It was a bit hot when I got here (about 40C) but it soon cooled down to mid 20’s and I’ve been happy with that. 🙂

    A friend through newbeetle.org picked me up from the airport last Sunday, and we went to her place and hung out for a while. She invited over a friend of hers, and I got to see her and her hubbie’s New Beetles (a nice Turbo S and a unired NBC), and her friend’s green Gecko TDI New Beetle. Very nice – I wish we could get that color in Australia. We had breakfast on Friday morning even though I was extremely tired (no sleep) and a bit sad, and she picked me up this morning to take me to the airport. I’m so impressed, I wish I could say I was as good a host when I have folks visiting. Thanks, Debbie – you set the standard!

    Next steps

    I’m off to SF next. I’m at the airport now. I have to spend a few hours this weekend getting stuff together to meet the CSO of a major partner of work’s, like running through the ESA presentations and ensuring that we have something constructive to talk about. I might need to go to Kinkos tomorrow and print off a few things unless my hotel has a printer I can use.

  • End of an era

    I’ve given up my PC to my brother as his computer (my old 1999 Dell) was finally giving up the ghost. I no longer have the ability to execute Windows x86 binaries or Linux x86… for now. This leaves me only with my Mac.

    I miss the pedestal of my PC’s case (clear horizontal surfaces being a bit rare due to the chronological ordering system I use (ie I dump things on spare space, and neglect to clean up), but I will not miss is the fan noise.

    In the new year, after the wedding, I’ll get a nice MacBook Pro once they’ve sorted out the whine (apparently sorted with later MacBook Pros which have a different display inverter), fan noise and overheating issues (probably fixed with the firmware update), distorted right hand speaker, and expanding batteries and reports of poor battery life.

     

  • Press: Q&A on Ajax / SOA Security

    Colleen Frye from SearchAppSecurity.com, interviewed me via e-mail a couple of weeks ago on the OWASP Ajax security research and materials I’ve been pumping out. Although she asked for brief answers, to paraphrase Mark Twain, I didn’t have the time to write shorter answers.

    The results are now available for your reading pleasure.

    Part 1
    Part 2

  • A quickie

    Here’s a single slide from the PHP security architecture slide deck. When I’ve sorted myself out in terms of demos for OSCON, I will release the entire thing when it’s in better shape (and smaller for the web – this Keynote theme seems particularly heavy).

    Slide 9 (1.2 MB, pdf)