07 Feb 2019
"You're one of 772,904,991 people pwned in the Collection #1 data breach"... Many of us have received an email with this subject line from Troy Hunt's Have I Been Pwned service about 3 weeks ago. By design, that service doesn't tell you exactly which account(s) or password(s) of yours have been pwned, you'll need to find out yourself.
23 Nov 2018
Insecure deserialization was recently added to OWASP's list of the top 10 most critical web application security risks, yet it is by no means a new vulnerability category. For years, data serialization and deserialization have been used in applications, services and frameworks, with many programming languages supporting them natively. Deserialization got more attention recently as a potential vehicle to conduct several types of attacks: data tampering, authentication bypass, privilege escalation, various injections and, ultimately, remote code execution. Two prominent vulnerabilities in Apache Commons and Apache Struts, both allowing remote code execution, also contributed to raising awareness of this risk.
There was a storm of talks and publications on the subject back in 2015-2016, but relatively few recently. While deserialization is a well researched class of vulnerabilities, and there is a lot of information out there, many non-security folks still don't understand it well enough, which leads to new vulnerabilities in the code. We need to continually educate on the subject. I presented on this topic three times this year: at OWASP Portland, at Portland Java User Group, and at AppSec USA 2018.
21 Jun 2017
One of my favorite things to do around Christmas is to participate in SANS Holiday Hack Challenges. These challenges are a fun way to learn and practice hacking skills. They are released once a year around Christmas and cover a broad range of technologies, tools and hacking techniques. Aside from the high quality of the exercises in an extremely gamified environment, these challenges are: 1) absolutely free; 2) available indefinitely, so folks can play year-round, going back to past challenges as they wish.
The 2016 challenge included many tasks such as reverse engineering a mobile application, Linux hacking, password cracking, network dump analysis and, of course, web application hacking. One of the web sites had a vulnerability allowing an attacker to modify their session cookie to escalate privileges from guest to administrator. This was trivial to accomplish after getting possession of the application’s source code along with the hardcoded encryption key. But what if the key was not known?
This article will demonstrate a practical attack on RC4 ciphertext to make controlled changes in the decrypted plaintext without knowing the encryption key. The technique relies on certain properties of stream ciphers.
20 Apr 2017
Apache Struts and Equifax: real life consequences
9/14/2017 Update: The Apache Struts vulnerability discussed in this blog was found to be the flaw that led to the Equifax data breach. While hacking games are fun, it's a reminder that legitimate applications have these vulnerabilities, with real-life consequences and extremely high stakes. For more details on the Apache Struts vulnerability and a hackathon where we used it to own an application server, continue reading.
A few weeks ago my friend (1) and I attended a hackathon sponsored by a local ISSA chapter (2). The hackathon was a hands-on event where participants learned about common web application vulnerabilities in a fun, gamified environment. The technical platform for this hackathon was provided by Security Innovation (3).
At the end of the event, the two of us finished first and second, with nearly half of the available points each. Security Innovation, however, graciously kept the game open for a few more days to give the participants an opportunity to continue to play and learn.
We used this opportunity to find and exploit more vulnerabilities in the application, and ultimately discover the one that allowed us to completely own the application server.