A survey of insecure Flash crossdomain policies – Alexa Top 10,000 case study

EDIT: October, 9th 2015 – added Appendix section.

Just like many other information security consultants, most of my billable time is spent performing web application penetration testing. Also just like every other professional pentester out there, I rely a lot on Burp Suite and its amazing scanner.

More often than not, Burp Scanner comes up with a finding that, under certain conditions, can have a rather high impact but is not commonly exploited: insecure crossdomain.xml file.

In a recent blog post, Matthew “mandatory” Bryant exploited this vulnerability against the popular music service rdio. This inspired me to conduct a survey against Alexa Top 10,000 most visited sites on the web (October 2015) in order to verify how widespread crossdomain vulnerability actually is, as well as hopefully raise awareness about the issue. It is worth mentioning there is some prior art on this exact same topic published in an academic paper from 2011 and a blog post by Zach Bloomquist, but I was not aware of any of them until I started to write the support code for this survey.

The rest of this blog post briefly discusses what crossdomain policy is and how it can affect the security of a website. It also describes all steps necessary to conduct the survey, including the relevant technical details and code, and presents its results.
Continue reading “A survey of insecure Flash crossdomain policies – Alexa Top 10,000 case study”

A survey of insecure Flash crossdomain policies – Alexa Top 10,000 case study

Brief analysis of a SQL injection in Cacti 0.8.8b

Back in September 2013 I wanted to practice some code auditing and picked the latest version of Cacti (v0.8.8b at the time). I spent a few hours looking into the code and also assessing a running instance of Cacti and this exercise resulted in a few vulnerabilities. I was motivated to finally put together this write-up since several SQL injections were fixed in Cacti in July 2015. As of this writing (September 2015), it seems like this vulnerability is still present in the latest version of Cacti.

For those who don’t know, Cacti is a quite popular network monitoring tool pretty similar to Zabbix and Nagios. A quick Google search for intitle:”Login to Cacti” comes up with more than 4,000 results. Finding high severity bugs in Cacti means that chances are very high an attacker will actually break into a box located in a privileged position in the network, as it needs to be positioned in a way to monitor traffic and events.

Cacti is a PHP application and I have to say, it’s miserable from a security point of view.
Continue reading “Brief analysis of a SQL injection in Cacti 0.8.8b”

Brief analysis of a SQL injection in Cacti 0.8.8b

CampCTF Spam100 – pwn

Few days ago I had the chance to attend to Chaos Communication Camp 2015.
I personally had a great time camping, swimming in the lake and catching up with friends I usually bump into conferences like this — including an old friend from high school I haven’t seen in ages.

This year CCC Aachen held a capture the flag competition at the event named CampCTF. The CTF was open for everyone interested and there was no requirement of physical presence at the camp to play.

I admit I barely touched my computer while at the camp — I was more keen to enjoy a good time with friends and have holidays — I had a go with some of the challenges of the CTF.

Without further ado, let’s proceed with the actual write-up of one of the challenges of the CTF: Spam100.
Continue reading “CampCTF Spam100 – pwn”

CampCTF Spam100 – pwn

On the security implications of window.opener.location.replace()

It’s no secret I am a big fan of many HackerOne bug reports and public penetration test reports authored by companies such as Cure53 and Least Authority.

In fact, pretty much every week I spend some of my free time reading bug reports. Regularly I stumble upon very interesting attack vectors and oftentimes learn tricks I had never seen before. This post is about one of the techniques I learned sometime ago whilst reading a report submited to HackerOne, authored by a bounty hunter named Daniel Tomescu.

After finished reading the particular report, I was a bit confused and not convinced this was a bug in the application at all. Then I had a discussion about it with my friend Shubham Shah and he clarified some of my doubts about it.

Digging in a bit more about the issue, I discovered this is indeed a design decision of all major browsers. However, it seems to me that the security ramifications of this design decision are not well understood and often ignored.

The objective of this post is to present the issue, discuss it in as many details as possible and make a case of why this issue has a greater security impact than many people may think. Continue reading “On the security implications of window.opener.location.replace()”

On the security implications of window.opener.location.replace()

Positive HackDays 2012 $natch write-up

Sometime ago while browsing old backups I stumbled upon a raw write-up I did for $natch, a vulnerable Internet banking application created for a CTF-style competition organized by the folks of Positive Technologies. They held this contest at PHDays 2012 in Moscow and at the 29th Chaos Communication Congress in Hamburg.

I participated in the contest at the 29C3 and scored second place (in fact I found more bugs than the winner and certainly would have won if my laptop’s network card hadn’t bailed out – I had to borrow one from the organizers so I could play).

This post will discuss in detail every vulnerability found within the application, along with the relevant vulnerable source code, and explain all steps necessary to successfully exploit them.

Continue reading “Positive HackDays 2012 $natch write-up”

Positive HackDays 2012 $natch write-up

Bug bounty write-up: Reflected cross-site scripting in Yahoo’s Contextual Ads search

I decided to start this blog by writing a post containing a technical write-up of my first (and last) attempt to participate in the bug bounty program promoted by Yahoo!.

In this post I will share technical details on the reflected cross-site scripting vulnerability I discovered around 8 months ago as well as vent about my frustration in dealing with their bounty program.

Continue reading “Bug bounty write-up: Reflected cross-site scripting in Yahoo’s Contextual Ads search”

Bug bounty write-up: Reflected cross-site scripting in Yahoo’s Contextual Ads search