Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Pages: Previous12
Current Page: 2 of 2
Re: Network World
Posted by: eyeced
Date: February 16, 2007 12:38PM

To be honest im kinda with jungsonn on this one, to make any sort of xss profitable it would have to be done on such a large scale, for example a mass phishing attack, which would give the attacker a 'possibility' of gaining sensitive information from the victims.

Lets say an account login form, even if the attacker uses a proxy and hosts the fake pages on a site that is not traceable back to them they still risk then they may at best end up with a scam that could work but how reliable would it be in persuading a decent majority of the users to give up every bit of credit card information they had?

The risk in launching a large scale phishing attack aimed at the users of a large bank/company would be nearly as great (in some countries) as actually accessing the server its self, and surely if you are willing to take the risk of prison for 5 years for some xss, then why not extend this to 7 years for the chance of getting thousands of definite credit card details by actually accessing the database.

Xss may be a nice exploit in the site security, but to what extent can you actually justify that it would be worth the risk rather than 'cracking' the security of the actual server which the site is hosted on.

To be fair to digital64, i think he made a valid point about the filtering, and this is where the site security would cross over into a real issue for gaining access into the server, with lack of validation it could lead to RFI which could in turn mean that with little effort the attacker could have access to the server.

Options: ReplyQuote
Re: Network World
Posted by: rsnake
Date: February 16, 2007 05:28PM

There are more the one type of user on any given system usually. I'm not just talking about stealing information from random people off the internet. I can also steal information from users of the system. I know you guys think this is impossible, but really, it's way easier than you guys are making it out to be. This doesn't have to be large scale. But onto the important meat of what you guys are saying:

While the point is valid (not IF it can be done but WOULD it be done) that's not what Acunetix is claiming. They are not saying 70% of sites WILL get abused, but that they COULD be abused. See the difference? If someone decided to use any one of those sites as a target they COULD. Does that represent a real business risk? In lots of cases no, because no one goes to those sites, they aren't trusted and the site is below the bad-guy radar. Does it mean it should get fixed? It's a tossup in most cases not since the cost to fix is way higher than the potential risk. That doesn't mean it's secure, it just means it's not a high value target.

If I have a crappy password on some unknown e-commerce site does that mean someone is going to guess it randomly out of all the passwords on the entire internet and all of the users on the system? No. Does it mean it's secure? Only by statistical probability. Will I use a secure password anyway? Yes.

- RSnake
Gotta love it. http://ha.ckers.org

Options: ReplyQuote
Re: Network World
Posted by: jungsonn
Date: February 17, 2007 04:53AM

BTW

Acunetix sended me a full copy of their scanner to me yesterday, this weekend I will be testing their merch. I had a little test on my own server, and it really doesn't look promissing. I get alot of false positives. (7) and zero vulnerabilities. Now, I'm busy with it. But I really don't hope for them that they counted the false positives also into the 70% figure, if that is the case, they are way out of bound.

Options: ReplyQuote
Re: Network World
Posted by: nEUrOO
Date: February 17, 2007 10:38AM

Well, if you want to test and have the same kind of result as Acunetix, you should test Acunetix WVS on other applications than yours because you know the web security so this is kinda biased.
If you want to reproduce the 70% scan a web app from the wild but not a really famous one...

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: Network World
Posted by: eyeced
Date: February 17, 2007 12:50PM

My post was not directly related to the acunetix comments, just that the majority of xss is based on the idea that you could POSSIBLY get information from victims of the company, whereas an attack on the server would almost guarantee results. While the initial prospect of xss is not that worrying, it is the deeper research into xss that can become quite alarming such as the 'drive-by-pharming' and the ability track users actions across many websites which could mean very little convincing is needed for the users to hand over sensitive information, on the surface it would seem that simply gaining access to the server would give you the sensitive information and why bother why xss, but with xss/csrf as many posts in this forum show its not just about simple fake login pages and alert boxes, its thinking deeper and very far out of the box. While i did not mean to totally dismiss xss, i still believe that it would be far more practical to access the server for sensitive user details rather than use xss.

Options: ReplyQuote
Re: Network World
Posted by: jungsonn
Date: February 17, 2007 07:51PM

@nEUr00 Yeah that is exactly right!

Ghehe, only one problem. I tryed it some more, and the scanner sended around 500 e-mails through my mailform om my corporate website. Ugh! It crashed my linux mail reader. Ghe.. that's the risk of testing and it's hard to test it at other sites while not flooding them with SPAM, I really can't guess why they build some mailstuff into it, really.

I'll be making some screenshots and test results soon, I can try to ask a few clients of mine to be subject to it.

Options: ReplyQuote
Re: Network World
Posted by: nEUrOO
Date: February 17, 2007 07:59PM

Yup, if you never used a web app scanner before:
- never use it on a production server until you know exactly what you do (well, with Acunetix WVS it's more okay than with other famous)
- be careful of the number of threads and the flood of your network

nEUrOO -- http://rgaucher.info -- http://twitter.com/rgaucher

Options: ReplyQuote
Re: Network World
Posted by: blad3
Date: February 19, 2007 01:49AM

Hi jungsonn,

First, I need to specify that I work for Acunetix.

I really don't understand what you want to say with "I really can't guess why they build some mailstuff into it, really"

The automated scanner is just submitting forms. If it's a mail form, the server will send an email for every test.

It cannot guess it's a mail form but we have options to prevent this. It's possible to exclude directories from testing, it's possible to exclude files and it's possible to exclude parameters/cookies from testing.

BTW, I sent you an email earlier about the false positives from the scanner.
If it's possible, could you please send me more information about them, I cannot directly scan your website. We will try to solve them, if it's possible.

Thanks

Options: ReplyQuote
Re: Network World
Posted by: jungsonn
Date: February 19, 2007 07:28PM

Hi blad3

I'm on a project deadline now, so it's gonna be late this week before I have enough time to analyse my own results.

But, I'll be back on this one 4 sure.

The false positive contained:
1.some PHP libraries which are old, well that's fine. But i don't use those libraries so they cannot be exploited.
2.old apache version - same issue.
3.And what we easely forget: the newest isn't the best persee.

But did they count those also into the "media" scan results?


About that mailstuff, yeah I don't understand it. It's really overdue to send for each XSS vector one e-mail in my eyes. To my knowledge with a few simple test you can cover each potential vulnerability. I escape everything in mailforms, so it just hits the fan.

I guess you try to cover the mailform result which some sites echo back to the site after submiting? like:

Your name: name *xss vector*
You said: this mail content. *xss vector*

But I think I can limit the possible vectors to let's say 20. In fact, to determin the sentinel value; one can easely cope with only sending the chars needed for javascript: <>{} If the filter break on those, you can flag the sentinel value for e-mail/form to exploitable IMHO.

But, i'm talking to soon. Further this week I have again some time to fully write an article about it.

Options: ReplyQuote
Re: Network World
Posted by: blad3
Date: February 20, 2007 02:05AM

Hi jungsonn,

Good luck with your project.

1. We are not testing for PHP libraries. The alerts you are talking about (looking at your banner) are
PHP Zend_Hash_Del_Key_Or_Index vulnerability
PHP HTML Entity Encoder Heap Overflow Vulnerability
These are very important problems reported by Stefan Esser that are affecting PHP.
At least the first one affects a large number of PHP applications.
http://www.hardened-php.net/hphp/zend_hash_del_key_or_index_vulnerability.html

2 & 3. We are not checking if you have the latest version of Apache. We are checking if you have an older version were vulnerabilities were reported.
From my point of view it is very important to know these types of issues. Even if you are not using "some PHP libraries which are old".
First: A normal person cannot be aware of all the APIs used by all the applications installed on their web server.
Second: Maybe in the future you will need to update/extend your applications and you may become vulnerable.

Yes, I think these alerts were included in the "media" scan results.

We are not checking just for XSS issues but for a lot of parameter validation problems and all of these tests are submitting your mailform.

Your idea about the sentinel value sounds good on theory. This was our initial idea. However, there are a lot of problems with it.
First, it will generate a lot of false positives.
Second, it will miss a lot of stuff. Example " onmouseover="alert('xss')
It will also miss double-encoded vectors, UTF-7, base64 encoded, ASP.NET Unicode Character Conversion XSS, ...

Options: ReplyQuote
Pages: Previous12
Current Page: 2 of 2


Sorry, only registered users may post in this forum.