Ngoprek Web

This is really serious,

Researchers from Google have documented serious vulnerabilities in Adobe Flash content which leave tens of thousands of websites susceptible to attacks that steal the personal details of visitors.

The security bugs reside in Flash applets, the ubiquitous building blocks for movies and graphics that animate sites across the web. Also known as SWF files, they are vulnerable to attacks in which malicious strings are injected into the legitimate code through a technique known as cross-site scripting, or XSS. Currently there are no patches for the vulnerabilities, which are found in sites operated by financial institutions, government agencies and other organizations.

The scenarios for the attack work something like this,

A bank website hosts marketing graphics in the form of a vulnerable Flash applet. Attackers who trick a customer into clicking on a malicious link are able to execute the SWF file but inject malicious code variables that cause the customer’s authentication cookies or login credentials to be sent to the attacker.

Even worse, Adobe still haven’t released the patch to fix this security hole. Current release from Adobe doesn’t fix the vulnerabilities. But they’re still working on it together with the researcher from Google. So guys, keep updating your Flash Player.

Eris Ristemena Security

Hey, this is pretty useful, SWF Intruder, a tool for analyzing and testing the security of Flash applications.

How many of you are still thinking of the security when you develop flash application? My experience with flash and Actionscript in particular is that i’m happy enought to see if it works as i expected, never mind thinking the security. Yeah this tools is helpful.

Anyway, SWF Intruder is a web application (using web as its UI) written by Stefano Di Paola and was developed using Actionscript, HTML and Javascript. So it only analyzes the security of flash application in web environment, not in form of desktop application (projector).

It scan some security issues like Cross Site Scripting and Cross Site Flashing. To understand more of how it works and the methodology used you’d want to read Testing Flash Application and Finding Vulnerabilities in Flash Applications.

By the way, it doesn’t work on Opera, i’ve tested it. Try Firefox.

Eris Ristemena Security

Another planet you don’t want to miss, especially If you care enough about web apps security. Planet Web Security.

Get the RSS feed here.

Eris Ristemena Security

The security hacks blog has a summary of top 15 free SQL injection scanners. I haven’t tested all, but i know it would be useful.

Eris Ristemena Security

Alright, kids. Bookmark this, a useful SQL injection cheat sheet. Currently only for MySQL, Microsoft SQL Server, some ORACLE and some PostgreSQL.

Good for your own protection. And please don’t try to do anything stupid to others, ok!

Eris Ristemena Security

Ilia once again shared his excellent article about web security here. This article talks about two well known security threats, CSRF and XSS, how malicious hackers do that, how to prevent them, and most importantly why our common solutions that we think has solved this problem doesn’t actually work.

Eris Ristemena PHP, Security

“…big difference between the web and traditional well controlled collections is that there is virtually no control over what people can put on the web. Couple this flexibility to publish anything with the enormous influence of search engines to route traffic and companies which deliberately manipulating search engines for profit become a serious problem.“

That was the quote from Sergey Brin and Lawrence Page’s paper about the prototype of Google search engine which then was in http://google.stanford.edu/.

But i don’t think even Brin nor Page would expect that their invention could bring another problem that emphasize what they meant with “no control over what people can put on the web”.

Yesterday post from Securiteam blog shows us that people can use Googlebot to attack other websites anonimously.

The idea is quite simple, all you have to do is to create a malicious website that contains links attacking web application (CSRF), like this:

http://the-target.com/csrf-vulnerable?url=http://maliciousweb.com/attackcode

and submit this to Google. When Googlebot comes to your website and find this link it will dutifully try to index the URL. And when it does .. bang! the robot do the job for you, attacking your target.

This is not a new idea though. Michal Zalewski wrote about this in 2001 in title “Against the System: Rise of the Robots“. His introduction tells us the whole idea,

Consider a remote exploit that is able to compromise a remote system without sending any attack code to his victim. Consider an exploit which simply creates local file to compromise thousands of computers, and which does not involve any local resources in the attack. Welcome to the world of zero-effort exploit techniques. Welcome to the world of automation, welcome to the world of anonymous, dramatically difficult to stop attacks resulting from increasing Internet complexity.

However, this kind of attack is not only Googlebot’s problem, other search engine bot have the same kind of ability to do the dirty job for you like MSN, Yahoo and dozen of others.

So who’s to blame? Surely, the bad guy who run the original website. Although you can also put the blame to the owner of the victim websites which ignore the security factor and leave all their pages open to any bot for higher pagerank.

Eris Ristemena Security