2008

article thumbnail

Cookie forcing

Scary Beasts Security

It's time to write some coherent details about "cookie forcing", which is the name I've given for a new way to attempt to break into secure https sessions. This is surfjacking to the max - attacks an active MITM (man-in-the-middle) can attempt against an https application that follows best practices like marking its cookies secure; avoiding XSS and XSRF; etc.

article thumbnail

Opera, SVGs and Java applets

Scary Beasts Security

Opera 9.63 was just released with some security fixes. I reported one of these issues, but neither myself nor Tarquin (a super friendly and knowledgeable Opera security guy) could do anything significant with it, despite feeling uneasy about the feature. The issue is this: when an SVG image is included via an tag, it is standard practice to disable running of JavaScript in that context.

50
Insiders

Sign Up for our Newsletter

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

article thumbnail

Firefox cross-domain text theft.

Scary Beasts Security

and a reappearance of the "302 redirect trick". Here's the second bug from my PacSec presentation, and it's another Firefox one; kudos to the Firefox security team for their responsiveness. It's fixed in the recent 2.0.0.19 and 3.0.5 releases. It involves, yes, a cross-domain tag. These remain a horrible wart in web app security; you have to make sure that any authenticated resource on your domain either does not have any side effects when parsed / executed as JavaScript, or is CSRF protected.

article thumbnail

Owning the paranoid: browser background traffic

Scary Beasts Security

When I talk to a lot of security researchers or paranoid types, it's very common to hear them describe how they very carefully access their bank account or personal GMail etc. Generally, the model used is to launch a separate browser instance, and navigate straight to an https bookmark. The session remains single-window, single-tab. It's a powerful model; the intent is to eliminate the chance of another (http) tab being a vector for owning the browser, or more likely abusing a cross-domain flaw

Banking 50
article thumbnail

Prevent Data Breaches With Zero-Trust Enterprise Password Management

Keeper Security is transforming cybersecurity for people and organizations around the world. Keeper’s affordable and easy-to-use solutions are built on a foundation of zero-trust and zero-knowledge security to protect every user on every device. Our next-generation privileged access management solution deploys in minutes and seamlessly integrates with any tech stack to prevent breaches, reduce help desk costs and ensure compliance.

article thumbnail

E4X and a Firefox XML injection bug

Scary Beasts Security

Up-front credit to my colleagues Filipe Almeida and Michal Zalewski who led the way in E4X security research. If you haven't heard of E4X, or don't know why Firefox's E4X support should scare you, please consider reading this article. I've just released details for a recently fixed Firefox XML injection bug. It's one of those bugs that is in search of a good exploitation opportunity.

50
article thumbnail

Firefox cross-domain image theft. and the "302 redirect trick"

Scary Beasts Security

Here's the first bug with full details from my PacSec presentation. It's fixed in the recent Firefox 2.0.0.18 update. Firefox 3 was never vulnerable. In a nutshell, decent modern browsers permit you to read the pixels from an image by rendering images to a and calling the Javascript APIs getImageData or toDataUrl. Therefore, cross-domain checks are required on the usage of these APIs.

50

More Trending

article thumbnail

Some Python bugs

Scary Beasts Security

A little late on this report, but here are some Python runtime bugs I found back in May 2007: [link] Nothing too interesting. It continues to illustrate that modules backed by native code are a great way to break out of a VM. Also, image manipulation code remains a hot spot for integer overflows. The pickle bug is worth talking about. It has been known for trusted applications to unpickle untrusted data.

50
article thumbnail

Ode to the bug that almost was

Scary Beasts Security

This post is a tribute to the hundreds of bugs that never quite were serious, and the emotional roller coaster ride on which they take researchers. Some brief background. The skill in finding serious bugs these days isn't in being a demon code auditor or a furious fuzzer; there are thousands of these. The skill lies instead in finding a piece of software, or a piece of functionality, that has the curious mix of being important yet not having seen much scrutiny.

article thumbnail

Cross-domain leaks of site logins

Scary Beasts Security

Browsers suck. We're building our fortified web apps on foundations of sand. A little while back, I was talking with Jeremiah about an interesting attack he had to determine whether a user is logged into a given site or not. The attack relies on the target site hosting an image at a known URL for authenticated users only. It proceeds by abusing a generic browser cross-domain leak of whether an image exists or not -- via the onload vs. onerror javascript events.

article thumbnail

A dangerous combination of browser features

Scary Beasts Security

As browsers gain more and more features, the possibility increases for interesting or dangerous interactions between these features. I was recently playing with a couple of new browser features -- and SVGs -- and found a cross-domain leak in the development version of Webkit: [link] Fortunately, no production versions of the major browsers are affected - and forearmed with this information, they can keep it that way.

50
article thumbnail

Optimizing The Modern Developer Experience with Coder

Many software teams have migrated their testing and production workloads to the cloud, yet development environments often remain tied to outdated local setups, limiting efficiency and growth. This is where Coder comes in. In our 101 Coder webinar, you’ll explore how cloud-based development environments can unlock new levels of productivity. Discover how to transition from local setups to a secure, cloud-powered ecosystem with ease.

article thumbnail

Buffer overflow in libxslt

Scary Beasts Security

libxslt is an interesting attack surface; there are various places in which it is used to process untrusted stylesheets. This includes some browsers, although namespace issues seem to prevent the affected code from being reached in a browser context. Within libxslt itself, there are some built-in functions. These are usually a fruitful place to look for vulnerabilities, particularly those that take integers etc.

50
article thumbnail

On FTP, SSL and broken interfaces

Scary Beasts Security

Oh what a fun day I just had piecing together a few SSL changes for vsftpd! Let's start with a brief background on SSL. SSL provides not just secrecy but also integrity - an attacker cannot change your data stream in flight. This includes obviously changing data in the stream, and less obviously, truncating the stream. The interesting attack to truncate the stream is to fake a TCP packet with FIN set.

50
article thumbnail

Lame OpenOffice PCX crash

Scary Beasts Security

Sorry for the lame vuln. It's something I was playing with over a year ago and I just happened to notice it got fixed. I forget what the original deal was. I'm only posting because this blog serves as an RSS feed for the scary.beasts.org main vuln list. [link] A more interesting OpenOffice observation is in the works.

50
article thumbnail

Fancy an exploitation challenge?

Scary Beasts Security

So you think you're 1337? Check out these just released details of a buffer overflow in bzip2: [link] It looks pretty harmless, and it probably is. but I'd love for it not to be. if you think you have what it takes.

50
article thumbnail

The Tumultuous IT Landscape Is Making Hiring More Difficult

After a year of sporadic hiring and uncertain investment areas, tech leaders are scrambling to figure out what’s next. This whitepaper reveals how tech leaders are hiring and investing for the future. Download today to learn more!

article thumbnail

iPhone Safari update fixes old libxslt version

Scary Beasts Security

This story is both interesting and boring at the same time. Boring because I didn't find anything new -- I just noted the applicability of something old to Apple's Safari. I've made sure to credit the finder of the old bug that applies to Safari; unfortunately not everyone in the security industry credits the original finder of the bug when noting it applies to a new context.

50
article thumbnail

Sun JDK image parsing vulnerabilities

Scary Beasts Security

The technical details for this pair of vulnerabilities can be found here: [link] These vulnerabilities follow on from my original advisory in this area: [link] There are lots of interesting sub-stories here. The first is that exploitation of the heap buffer overflows (in both the old and new advisories) relies on that fact that the JDK environment has a SEGV handler installed.

50
article thumbnail

Buffer overflow in Ghostscript

Scary Beasts Security

Given the huge amount of attention given to xpdf (and derivatives), it is surprising that not as much attention has been given to Ghostscript. Most Linux desktops will render both PDF and PS files directly from the web. The attack surface of Ghostscript is huge. Not only is it a Turing Complete language[*], but it has a rich set of runtime operators and APIs.

50
article thumbnail

Your FTP / SSL solution is really secure, right?

Scary Beasts Security

Well no, not really. Almost all real-world usage of FTP over SSL has problems whereby the FTP data connection can be stolen (resulting in stolen downloads or forged uploads). The problem is mainly with FTP clients - if you require end users to generate their own SSL certs and manually enable sending them to the server, you've already lost on usability grounds.

50
article thumbnail

The Importance of User Roles and Permissions in Cybersecurity Software

How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.

article thumbnail

Sun JDK6 XXE protection broken

Scary Beasts Security

Sun released JDK6u4 which fixes a possibly nasty issue where one of the XXE protection methods for the default XML parser was broken. My advisory is at [link] Sun's advisory is at [link] Secunia picked it up at [link] Web services are obviously a key concern here. I haven't checked to see how the common web service frameworks do XXE protection. It's possible to ban DTDs outright, but I'd suspect more common would be to use the broken parser property [link] I'd love feedback on specific affected