While on the plane to Vegas, I looked at a number of ASP.NET MVC apps (ping me if you know of other good ones to look at (with publicly available source code)).
I was trying to find one that had good examples of MVC ModelBinding Vulnerabilities (aka overposting), in a real-world-kinda-way (I have found tons of MVC ModelBinding Vulnerability examples which usually get dismissed with a 'that is not the recommended way to code MVC controllers').
So I think I found a great example (of what not to do) on the Contoso University sample.
This application is explained in detail in this article Creating an Entity Framework Data Model for an ASP.NET MVC Application (1 of 10) and can be downloaded from http://code.msdn.microsoft.com/ASPNET-MVC-Application-b01a9fe8/view/SourceCode (as shown below, you can also get this from the official ASP.NET MVC website)
Wednesday, 31 July 2013
Example example of SQL Injection using Database.SQLQuery from GitHub (and idea for Cat.NET workflow)
After posting Another example why SATS technology needs custom rules (re: Detecting SQL Injection on .NET Entity framework) I did this search on GitHub, and found an example of that dangerous Database.SqlQuery API in use:
- https://github.com/caioketo/QIERP/blob/master/QIERPDatabase/VerpContext.cs#L55 (with default sa pwd and use of Database.ExecuteSqlCommand:)
- https://github.com/revolutionaryarts/wewillgather/blob/master/src/Libraries/Gather.Data/GatherObjectContext.cs#L69
- https://github.com/philpeace/PointyPointy/blob/master/PointyPointy.Web/Data/StoryContext.cs#L51
- https://github.com/samandmoore/GetRDoneWeb/blob/master/GetRDone/GetRDoneContext.cs#L25
- https://github.com/slask/MVCArchitectureTemplate/blob/master/Solution/DataAccess/Context/ScrabbleClubContext.cs#L106
Another example why SATS technology needs custom rules (re: Detecting SQL Injection on .NET Entity framework)
In Darren's great SQL Injection with Entity Framework 5 and Static Code Analysis post, he mentions how all SAST tools he used failed to find this security vulnerability:
The reason is simple: None of the tools he used had the Database.SqlQuery Method marked as a Sink (and btw last time I checked FxCop is not a SAST tool)
One of the things I wanted to do this week was to add a rules manager/editor to CAT.net (see my current research on this SAST tool from Microsoft here), and this could a good example (i.e. show how to write a custom CAT.Net rule to detect this security issue).
The reason is simple: None of the tools he used had the Database.SqlQuery Method marked as a Sink (and btw last time I checked FxCop is not a SAST tool)
One of the things I wanted to do this week was to add a rules manager/editor to CAT.net (see my current research on this SAST tool from Microsoft here), and this could a good example (i.e. show how to write a custom CAT.Net rule to detect this security issue).
Email (outlook.com, gmail) should be stored on a git repository, with hashes used to detect account hijack
On the topic of being secure (and minimising account compromise) while using hostile networks (see Day 1 - made it to Vegas, start of ASP.NET MVC research and Trying to keep secure while at BlackHat and DefCon 2013) I started using outlook.com, and was wondering how can I detect if that account is hijacked (for example by somebody who has a root SSL cert and is sitting on the same wireless network that I'm in (currently at Starbucks using the Mirage WIFI))
So what happens if somebody sends an email from this account:
How could I detect it?
So what happens if somebody sends an email from this account:
How could I detect it?
Day 1 - made it to Vegas, start of ASP.NET MVC research
So after an 18h flight (with stopover in Toronto) I made it to Las Vegas. It was a really productive flight and I was finally able to spend some time focus on really learning how the ASP.NET MVC actually works.
I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of all ASP.NET MVC books I have) on 'mentioning' security. Unfortunately, on the ModelBinding vulnerabilities (aka over-posting), there is very little to alert the reader for the dangers of MVC's ModelBinding.
I read a large section of Professional ASP.NET MVC 4 book (by Wrox) which is a great way to quickly learn what can be done with MVC 4. Although still very light on security, that book is actually one of the best ones (of all ASP.NET MVC books I have) on 'mentioning' security. Unfortunately, on the ModelBinding vulnerabilities (aka over-posting), there is very little to alert the reader for the dangers of MVC's ModelBinding.
Tuesday, 30 July 2013
Trying to keep secure while at BlackHat and DefCon 2013
Since the BlackHat and DefCon networks are getting more and more dangerous/compromised (and SSL doesn't mean much these days), this year, I'm going to try to be more careful with my interweb and account's activities.
So:
- I'm only taking 1 Mac Laptop which has a clean install of OSx (+ Fusion with clean window's installs), which will use this for research on the presentation I'm doing at DefCon (on Sunday)
- I'm not taking my real phone (I'm going to try to get a SIM cart in the US which hopefully will work on a unblocked and factory-reset iPhone 4)
- I'm not going to check my OWASP and SI emails while there, and am only going to use the temporary diniscruz_defcon@outlook.com account (I also have an temp GitHub, twitter and blogger accounts)
So if you want to reach me, the best way is via the diniscruz_defcon@outlook.com (which I will check regularly, but will expect to be a little-bit compromised)
Any other ideas?
For the ones that are going, what other security measures are you taking?
Cya in Vegas
Tuesday, 23 July 2013
Version of O2Platform 5.3 released
I just pushed to GitHub a new version of the O2 Platform which has a massive Namespace rename and a number of new features
You can download the stand-alone exe from here: https://o2platform.googlecode.com/files/O2%20Platform%20-%20Main%20O2%20Gui%20v5.3.exe
The NuGet packages can be consumed from http://www.nuget.org/packages?q=fluentSharp
And the code is at https://github.com/o2platform (with for example the FluentSharp commits available at: https://github.com/o2platform/FluentSharp/commits/master )
Let me know your views on it or if you find probs running it
Thanks
Friday, 19 July 2013
Nice business logic vulnerability and CSRF on the ASP.NET MVC Design Patterns book sample
Following a comment on this reddit threadt I did a search for 'ASP.NET MVC Design' patterns and found the site https://aspnetdesignpatterns.codeplex.com which is from the Wrox Professional ASP.NET Design Patterns book.
Since it looked like a nice MVC application, I grabbed a copy of the source code, upgraded it to .NET 4.0/MVC 4.0 (now on GitHub here) and had a quick look for MVC ModelBinding vulnerabilities.
And although it looks like the app is NOT vulnerable to MVC Model injections, that is mainly because there are very few controllers that use ModelBinding (i.e. that Design Pattern was not used (which ironically is my main recommendation to deal with MVC ModelBinding Vulnerabilities: don't use Model Binding :) )).
Since it looked like a nice MVC application, I grabbed a copy of the source code, upgraded it to .NET 4.0/MVC 4.0 (now on GitHub here) and had a quick look for MVC ModelBinding vulnerabilities.
And although it looks like the app is NOT vulnerable to MVC Model injections, that is mainly because there are very few controllers that use ModelBinding (i.e. that Design Pattern was not used (which ironically is my main recommendation to deal with MVC ModelBinding Vulnerabilities: don't use Model Binding :) )).
Thursday, 18 July 2013
Research on Azure WebSite security: Process Execution (cmd.exe, git.exe, node.exe, xyz.exe) and Folder Browsing (outside azure root)
Following the presentation I did a couple weeks ago at the UK Azure user-group event (http://ukwaug.net/events/security-compliance/), here are my rough notes on my research (for a couple hours/days before the event)
Using DotNet_ANSA (see end of post for more info about this tool) I was able to show a number of security issues that exist with Azure Websites
BUT (Important disclaimer):
Using DotNet_ANSA (see end of post for more info about this tool) I was able to show a number of security issues that exist with Azure Websites
BUT (Important disclaimer):
- I was not able to see data from other Azure websites hosted on the same server (since I was limited by the IIS user account used)
- This happens because of running .NET code under Full Trust (which is the default in most ASP.NET apps, since partial trust is dead now)
- Although this is nothing new, I was surprised by the number of ASP.NET Azure specialists that were not aware that it was possible to (for example) browse files/folders outside the allocated folder and start new processes on the azure server
- These are ‘Security Issues’ and ‘Areas of concern’ for Azure (and other) deployed websites.
- These are not ‘Security Vulnerabilities’ since they happen by ‘design’
- The key is to make sure that all parties understand that this is possible (namely remove process execution on cloud/hosted services)
- I didn’t upload any exploits or metasploit-like tools (since that would be pushing my Azure testing a bit too far), but as far as I can see, they should work
- I didn't spent a lot of time on this, and there are a number of other research areas that should be pursued
Wednesday, 17 July 2013
Can you spot the security implications/vulnerability of a small change to an ASP.NET MVC 3.0+ Model Binder?
This post contains an example of a serious security vulnerability that is common on ASP.NET MVC applications.
There are two versions of a Model Binder (CartModelBinder) class shown below, one or both are vulnerable.
Your job is to find out how to exploit them :)
Ideally you should provide your answer/results/proof using UnitTests :)
Note 1: The vulnerability shown in this post is a variation of real-world vulnerability that I helped to find a couple weeks ago (on an UK-based financial services company).
Note 2: I’m yet to to look/review/see a large MVC application that doesn’t have similar vulnerabilities (on both ASP.NET MVC or Spring MVC)
Note 3: the code is from the http://sportsstoremvc3.codeplex.com/ sample application, which is used as an ‘real-world application’ example by the Pro ASP.NET MVC 4 book (the code was compiled using .NET 4.0 and executed using the ASP.NET MVC 3.0 and ASP.NET MVC 4.0 versions).
There are two versions of a Model Binder (CartModelBinder) class shown below, one or both are vulnerable.
Your job is to find out how to exploit them :)
Ideally you should provide your answer/results/proof using UnitTests :)
Note 1: The vulnerability shown in this post is a variation of real-world vulnerability that I helped to find a couple weeks ago (on an UK-based financial services company).
Note 2: I’m yet to to look/review/see a large MVC application that doesn’t have similar vulnerabilities (on both ASP.NET MVC or Spring MVC)
Note 3: the code is from the http://sportsstoremvc3.codeplex.com/ sample application, which is used as an ‘real-world application’ example by the Pro ASP.NET MVC 4 book (the code was compiled using .NET 4.0 and executed using the ASP.NET MVC 3.0 and ASP.NET MVC 4.0 versions).
Tuesday, 16 July 2013
Code Club - Video with Scratch Games created by the Kids I was teaching at a local school
For the last couple months (May till June 2013) I have been running a Code Club session at my daughter school.
Every wednesday at 3:30pm, I went there for 1h and taught 14 kids (Y3 till Y6) how to program Scratch (with a brave one doing some Python)
To wrap up the year, we did a presentation to the Key Stage 2 assembly, where we presented the video below (to show some examples of their efforts and creativity):
Every wednesday at 3:30pm, I went there for 1h and taught 14 kids (Y3 till Y6) how to program Scratch (with a brave one doing some Python)
To wrap up the year, we did a presentation to the Key Stage 2 assembly, where we presented the video below (to show some examples of their efforts and creativity):
Saturday, 29 June 2013
Insanely Simple book: Great view into Steve Job's quest for simple solutions
I just read Insanely Simple: The Obsession That Drives Apple's Success and was really inspired by it's peek into Steve Job's mind.
What is really great about the book (and author) is how it shows the decision making process behind Steve/Apple's success.
The key message is how Simple and well designed products/solutions, are a result of a relentless and uncompromising focus on Simplicity.
What is really great about the book (and author) is how it shows the decision making process behind Steve/Apple's success.
The key message is how Simple and well designed products/solutions, are a result of a relentless and uncompromising focus on Simplicity.
Writing REPL scripts on side-by-side Chrome and IE
Following the Chrome-Hijacking posts, I’m starting to convert the WatiN Extension methods into ChromeDriver, and to do so needed to execute requests side-by-side (to test the APIs and to be able to write UnitTests for them).
To do that (side-by-side Chrome and IE execution) I wrote this script:
To do that (side-by-side Chrome and IE execution) I wrote this script:
Tuesday, 25 June 2013
CodingLab Library at Union Jacks in Chiswick
After talking about the 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road with Ed (Chiswick's Union Jack manager), I'm happy to say that he embraced the idea and gave us some nice (prime-location shelf) location downstairs to hold the first batch of Library books :)
This means that if you want to learn about:
- Scratch
- RaspberryPI
- Arduino
- BeagleBone
- Phyton
- Linux
- and others (OWASP, Android, Robotics)
... just pop in into Union Jack, grab a drink and take a look one of the available books:
Review of first CodeClub meetup in Chiswick (24th Jun 2013), with Scratch and RaspberryPI 'coding stations'
Following the 'Open Library' for my RaspberryPi, Arduino, BeagleBone, Pyhton, CodeClub books and materials on the Chiswick High Road idea and the creation of CodingLab , I organised a Code Club meetup at Chiswick's Union Jack which had a nice crowd and vibe.
Here are some pictures of this event and set-up
Here are some pictures of this event and set-up
Saturday, 22 June 2013
PoC of Auto-Screenshot of Hijacked Notepad main Window
On the topic of Window-Hijacking, here is a PoC that:
- creates a GUI with two Panels (left and right)
- starts a new notepad process
- hijacks its main window into the left panel
- takes a screenshot of a captured Nodepad window every 100ms
- checks if the screenshot is different from the last one, and if it is:
- shows the screenshot of the hijacked notepad window into the right panel (inside a PictureBox)
Using WebStorm with Chrome and ChromeDriver (to view KarmaJS execution results)
Following from the example described inWhen the best way to automate Chrome is to use ... Chrome , here is a more practical scenario where I’m creating a GUI that has both WebStorm and Chrome running side-by-side
Here is what it looks like:
Here is what it looks like:
When the best way to automate Chrome is to use ... Chrome (with examples on Google search, direct AngularJS scope manipulation and ChromeDriver javascript access)
On the topic of Web Automation, I always wanted to have a REPL environment for Chrome like I have for IE (using Watin).
In the past I have explored multiple solutions, for example the use of CefSharp (see here and here). But that was never the real thing, and there was always a couple issues (caused by the fact that the ‘real’ chrome wasn't being used).
For a while, in the back on my mind the solution was simple and obvious: Use the real Chrome process in a way that it can be programmatically accessed from an O2’s C# repl environment!
Well, the good news is that is exactly what I have done :)
I just created the Gui you can see below, which uses the Window-Hikacking technique to inject an (Selenium's ChromeDriver started) Chrome process' window in a Panel, and pass its reference (as a variable) to an O2 REPL environment.
In the past I have explored multiple solutions, for example the use of CefSharp (see here and here). But that was never the real thing, and there was always a couple issues (caused by the fact that the ‘real’ chrome wasn't being used).
For a while, in the back on my mind the solution was simple and obvious: Use the real Chrome process in a way that it can be programmatically accessed from an O2’s C# repl environment!
Well, the good news is that is exactly what I have done :)
I just created the Gui you can see below, which uses the Window-Hikacking technique to inject an (Selenium's ChromeDriver started) Chrome process' window in a Panel, and pass its reference (as a variable) to an O2 REPL environment.
Thursday, 20 June 2013
Adding KarmaJS support to WebStorm to automagically run tests on file changes (and test UI with SublimeText, Chrome and Cmd.exe)
On the AngularJs and KarmaJS theme (see A small AngularJS Jasmine test executed by KarmaJS and the related posts linked at the bottom), here is my first attempt at using Karma to test AngularJS code inside TeamMentor.
I’m using WebStorm instead of VisualStudio, since for Javascript coding WebStorm is MUCH better/faster/cleverer, specially since it has good support for AngularJs and Jasmine (with KarmaJS support easily added, as we are about to see).
Also shown below is a cool tool I created that hijacks windows from SublimeText, Chrome and Cmd.exe windows into the same UI (an O2 Platform .NET Script)
Here is the directory structure:
I’m using WebStorm instead of VisualStudio, since for Javascript coding WebStorm is MUCH better/faster/cleverer, specially since it has good support for AngularJs and Jasmine (with KarmaJS support easily added, as we are about to see).
Also shown below is a cool tool I created that hijacks windows from SublimeText, Chrome and Cmd.exe windows into the same UI (an O2 Platform .NET Script)
Here is the directory structure:
A small AngularJS Jasmine test executed by KarmaJS
When I try to understand how a particular technology works I always like to create a simple test case with a small number of moving parts.
This post shows such example for an AngularJS page, a Jasmine test, a NodeJS web server and a KarmaJS execution cycle.
The files used/customised were based on the KarmaJS test/e2e/angular-scenario example:
This post shows such example for an AngularJS page, a Jasmine test, a NodeJS web server and a KarmaJS execution cycle.
The files used/customised were based on the KarmaJS test/e2e/angular-scenario example:
KarmaJS AngularJS Scenario Test Runner execution variations in IE 7,8,9 and 10 when using AngularJS
While trying to get Karma JS to work, I found a number of different behaviours for its AngularJS Scenario Test Runner in IE’s multiple 'compatibility modes'.
TLDR: some of the Jasmine and AngularJS test apis don't work (although Angular does seem to work ok)
Here is the default web page I was using:
TLDR: some of the Jasmine and AngularJS test apis don't work (although Angular does seem to work ok)
Here is the default web page I was using:
If AngularJS doesn’t work on your O2 Platform IE scripts (the fix is to change browser compatibility mode)
If when trying to open an AngularJS page inside an O2 Platform script, you see:
... this means that the IE browser embedded in that .NET process is set to run under IE 7
... this means that the IE browser embedded in that .NET process is set to run under IE 7
Wednesday, 19 June 2013
Debugging a weird case of missing module in AngularJS and KarmaJS
When I was trying the Running KarmaJS’s AngularJS example test/e2e/angular-scenario (on Chrome) I hit on the the following weird behaviour.
TLDR; the solution was to run npm install –g karma@canary
TLDR; the solution was to run npm install –g karma@canary
Running KarmaJS’s AngularJS example test/e2e/angular-scenario (on Chrome)
To learn and get an idea of how Karma (the 'Spectacular Test Runner for JavaScript') works, and how it can be used to create browser automations tests, here are the steps I took to get the test/e2e/angular-scenario example to work.
It all started with a clone of: git@github.com:karma-runner/karma.git
It all started with a clone of: git@github.com:karma-runner/karma.git
Sunday, 16 June 2013
Trying to running HuBot (and being stuck on ‘ERROR XMPP authentication failure’)
Sitting on a Starbucks in a Saturday morning (after dropping the kids on PSSA) it felt like a good time to try HuBot (repo is here).
Since I already had NodeJS installed on my test VM, I stated with the Deploying Hubot onto Windows instructions:
Since I already had NodeJS installed on my test VM, I stated with the Deploying Hubot onto Windows instructions:
Subscribe to:
Posts (Atom)