Sunday, November 23, 2008

WebSlayer at Pauldotcom podcast


Last week Matt Tesauro from OWASP, pointed me that "WebSlayer" was reviewed in the show "PaulDotCom" a Security weekly podcast.


The MP3 of the show can be downloaded here

Also you can find the episode notes here


I recommend this podcast, is very interesting and they talk a lot about penetration testing topics, really useful and very entertainment.

They liked the tool, so it's a good signal and good feedback.

I'm waiting for the next episode :)

-CMM
By - No comments:
Labels:

Wednesday, November 19, 2008

Clickjacking Demo

A lot of buzz were flowing on the net the last few months , about a new type of vulnerability known as "ClickJacking" or "Ui redressing". The vulnerability is a variant of Cross Site Request Forgery (CSRF). The idea is simple, here is an explanation found in www.webmonkey.com:

"The basic idea is that an attacker loads the content of an external site into the site you’re visiting, sets the external content to be invisible and then overlays the page you’re looking at. When you click a link you see on the current page, you are in fact clicking on the externally loaded page and about to load pretty much whatever the attacker wants."

Well it seems pretty easy and clear, but if you want to see an attack in action, you have to check this GUYA.NET, where an attacker controls the camera of the victim, through a ClickJacking attack.

Some of you might be wondering how can you protect against it? The last version of NoScript (a Firefox Plugin that provides protection against XSS) adds protection to ClickJacking.

Be careful where you click ;)

CMM-
By - No comments:
Labels: , ,

Tuesday, November 11, 2008

Memoryze - Memory forensic tool

Jamie Butler presented at HITB 2008 the tool Memoryze, intended to aid incident responders find evil in live memory.  

"Memoryze can acquire and/or analyze memory images, and on live systems can include the paging file in its analysis."

Memoryze site
Here are some Use cases

-CMM
By - No comments:
Labels: ,

Sunday, November 9, 2008

OWASP EU SUMMIT is over


Wow what a great event, i returned from Algarve, Portugal the saturday morning. I met a lot of interesting people, and i had a very good times.

Thursday morning, i gave my presentation about WebSlayer, i started 4 talks before schedule, so they catch me a little off guard. Everything went smooth after i managed to make the microphone works :P

There were 2 other guys from Argentina, Arturo "Buanzo" Busleiman a very well known security expert, and Fabio Cerrullo a great person.

The place was very beautiful, but i hadn't enough time to visit the city, we were working from 8:00hs to 20:00hs , really very exhausting, but was fruitful.

Giorgio Fedon pulled a good working group about Web Malware, the idea was to start working in a document to splash the different kind of web attacks the malware use, and how a company can protect from them.

The thursday night the OWASP Band played some great tunes, it was incredible how good they were, taking into account that they never played together!

Seven committees were created to face different projects and issues, this is very interesting because a layer of middle management was needed, to handle all the heavy work and organization.

Regards to everyone that made this possible, in special Paulo Coimbra and Dinis Cruz, because without their effort this wouldn't happened.

The full results of the summit will be captured and released as a report from OWASP in the next few weeks.

Now there is a lot of work to do :)

-CMM
By - No comments:

Kiosk hacking

Have you ever found yourself trapped in a internet Kiosk? those machine with customized software (most of them with windows) that only allows you to browse the net, print and maybe save a file in a thumbrive? I always had my kiosk cheatsheet, but now Paul Craig had released I-KAT, a website that pretend to hack a kiosk in under 120 seconds. I read his presentation at HITB and i really liked some of his tricks, really he found lots of security bypasses on the most used kiosks around the world.

Some of the tricks:

Invoking a command line, without executing cmd.exe:

-command.com
-loadfix.com start.exe
-win.com
-start loadfix.com cmd.exe
-%COMPSEC%
-sc create testsvc binpath "cmd /K start" type= own type interact

There a many combinations of these and he found 17 cmd.exe detours.

Another cool trick is embedding a cmd.exe inside an Office document (doc,docx, xls, xlsb, xlsm, xlsx), and then when you open the file the "Open package Contents" will popup.

Most of the bypasses are because the use of Black lists, the people still doesn't get it that black lists are dangerous...

I recommend to check the Ikat site and Paul Craig presentation to get all the tricks:

HITB presentation
I-KAT website
Portable tool

-CMM
By - No comments:

Wednesday, November 5, 2008

Defcon 16 videos and HITB 2008 presentations

The presentations from HITB are ready for download, there is very good quality material. There are two presentations about OSX security, one from Dino Dai Zovi about exploiting OSX and another from the Gruqq about Antiforensics on OSX, check it here:

http://conference.hitb.org/hitbsecconf2008kl/materials/

And here are some Defcon 16 videos:

Brenno De Winter - Ticket to Trouble

http://media.defcon.org/dc-16/video/dc16_dewinter_tickettotrouble/dc16_dewinter_tickettotrouble_full.mov
http://media.defcon.org/dc-16/video/dc16_dewinter_tickettotrouble/dc16_dewinter_tickettotrouble.m4v

Dan Kaminsky - DNS Goodness

http://media.defcon.org/dc-16/video/dc16_kaminsky/dc16_kaminsky_cache_full.mov
http://media.defcon.org/dc-16/video/dc16_kaminsky/dc16_kaminsky_cache.m4v

Anton Kapela and Alex Pilosov - Stealing the Internet

http://media.defcon.org/dc-16/video/dc16_kapela-pilosov_stealing/dc16_kapela-pilosov_full.mov
http://media.defcon.org/dc-16/video/dc16_kapela-pilosov_stealing/dc16_kapela-pilosov.m4v

Mike Perry - 365 Day: Active HTTPS Cookie Hijacking

http://media.defcon.org/dc-16/video/dc16_perry_TOR/dc16_perrry_TOR_full.mov
http://media.defcon.org/dc-16/video/dc16_perry_TOR/dc16_perrry_TOR.m4v

More videos to come in the next months

CMM-
By - No comments:

Sunday, November 2, 2008

WebSlayer released

Hi all, i'm please to announce the release of WebSlayer, the web application brute forcer.

Im working on the presentation for the Owasp EU Summit 2008, and i created the WebSlayer project site at OWASP. 

The first version released is only for windows, but the source for Linux and OS X will be ready this week. Ubuntu 8.10 includes the python-qt4 version needed to run WebSlayer :)

Well now WebSlayer is officially an OWASP project :)

I hope you find it useful for your engagements

Stay tuned for the next release that will be packed of new features and improvements!

CMM-
By - No comments:
Subscribe to: Posts (Atom)

Wfuzz 2.2.0 released

I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...

  • Wfuzz 2.1 released !
    I'm pleased to announce  a new version of WFuzz! Wfuzz is a tool designed for bruteforcing Web Applications, it can be used for findi...
  • Scan for shellshock with wfuzz
    In the last few weeks everyone has been talking about Shellshock, the vulnerability affecting bash and having security ramifications everyw...
  • Wfuzz 2.2.0 released
    I'm pleased to announce a new version of WFuzz! Wfuzz has been created to facilitate the task in web applications assessments and it...