Saturday 31 August 2013

Creating a Fork of Jni4Net,dealing with ‘Attempted to read or write protected memory’ problem and what I had to do to make it work with ZAP

An O2 user was having some issues with the Jni4Net scripts and I think the root cause is because the current O2 Scripts uses the jni4net.n- which is the version currently available for download

TLDR: The code of the patched version is here the compiled binaries are here

NOTE: THIS VERSION IS CURRENTLY published as DRAFT since I'm on the Algarve (i.e. the beach is waiting) and don't have time to proof read the text below (which is posted how I wrote it at the time)

WTF an SQL injection payload as part of an URL (in IIS.NET) , it must be a honeypot

Update: I wrote the original post in March 2013, and after a couple days I was contacted by the admin asking me to remove it (which I did). Since It has been fixed since, here is the original post (which now I'm assuming the vuln was real, but still have no idea how it got there)

NOTE: I used the 'contact us' form at to ask for a direct email to send the info below, and they said to 'post it on the support forum'.  (see at the end of this blog entry a screenshot of the email I sent to IIS.NET)

Btw, since the issue is still there (a week later), I think this is a honeypot

Here is blog entry I was writing when I found this (saved as a draft since).

Wednesday 28 August 2013

“The State of Application Security” Research report (by Security Innovation and the Ponemon Institute)

Based on a joint research study between Security Innovation and the Ponemon Institute, here is a really interesting report that presents/rationalises the current sorry state of Application Security (in 2013).

If you are a regular reader of my blog, you shouldn't really be shocked by any of this, but, it is a good read and provides good data for management to take Application Security seriously.

Here is a quote from the A must-read report for everyone involved in software development: “The State of Application Security” article:

Notes on TeamMentor integration with CheckMarx (and pdf with info)

On the topic of integrating TeamMentor with Checkmarx, embeded below is nice document (created by Roman and Michael) that explains how it works and where the TM (TeamMentor) guidance shows up.

This is a major milestone for TM and it shows that the best place to consume TM is in the developer's IDE.

Couple notes on this implementation:

Saturday 24 August 2013

Programming Eclipse in Real-Time (using an 'Groovy based' Eclipse Plug-in)

While working on an Eclipse plugin to integrate TeamMentor with Fortify, it was driving me crazy to have to deal with the loop of:
  • Write the code in the main Eclipse instance (hosting the Eclipse plug-in project)
  • Start the Eclipse plug-in project (in debug mode)
  • Wait about 1 minute for the 2nd instance of Eclipse to start
  • See the changes
  • Make some fixes
    • If I’m luck they will be in a place that can be done (in the hosting Eclipse instance) without a restart of the 2nd eclipse
    • If I’m not lucky, go back to step one

Monday 19 August 2013

Creating a clone of WebGoat on GitHub

I needed a couple vulnerable source code examples (to use on the new TeamMentor Eclipse plug-in) so an obvious option was to use WebGoat (whose code is currently hosted at Google Code page)

But since there wasn’t a source code download option (in the current download page)


Friday 16 August 2013

Util - Quick Hex File Viewer.exe

When I was creating the Generating Fuzzing Images and trying them on WebBrowser (IE)  and Install Debugging Tools for Windows as a Standalone Component scripts I needed a simple and fast HEX viewer.

Since I didn’t had one at hand, I quickly wrote an O2 Script that uses a C# ListView to show binary data (see source code below)

Here is the link to the Stand-Alone tool: Util - Quick Hex File Viewer v1.0.exe

Which looks like this when executed:

Install Debugging Tools for Windows as a Standalone Component

Annoyingly (after many requests on MS mailing lists) it is still not possible to download the Windows Debugging tools independently.

To get it, you need to go here

Thursday 15 August 2013

Generating Fuzzing Images and trying them on WebBrowser (IE)

An O2 user asked me today of a good way to fuzz images, so here is a quick PoC that does that.

Note that I didn’t expect any of this to work in IE since fuzzing is part of Microsoft’s SDL (and so should be for anybody that creates C++ that parses binary data).

The first step was to generate the 'Fuzzed' images, which were created using this script (see Gist at the end of this post):

Wednesday 14 August 2013

Using captured account details on login form

This post will put in practice the data collected in Generating an small MD5 Rainbow Table in C#  and  Loading, parsing and consuming unstructured data (i.e. password hashes from google)

Usually if you have access to usernames and passwords, a good test is to see if they work on the site that we are currently (legally) testing (remember that a lot of companies don’t have a good sense of humor if you do do this type of automated testing on them)

Let’s say that we have a website that has a login page like HacmeBank:

Loading, parsing and consuming unstructured data (i.e. password hashes from google)

Following Generating an small MD5 Rainbow Table in C#,  the objective of this post is to show how to consume unstructured data (to be used for example on a fuzzing brute-force login attempt, which you will see on the next post)

Now that we have a way to resolve MD5 hashes, we need a couple hashes to test it out.

Unfortunately (for the affected users) there are a HUGE amount of password hashes out there. For example, take a look at the page:

Generating an small MD5 Rainbow Table in C#

I need a simple Rainbow Table today, and since I couldn’t easily find one I could download, I decided to create it in C#

So I went to the O2 Platform REPL and quickly wrote this script (included in full at the end of this post):

Tuesday 13 August 2013

The speed of Google's crawling updates is impressive (with Bing and Yahoo not even on the map)

When I was researching the Adding Custom Descriptions and Content to Fortify using the RulePack's CustomDescriptionRule element post, there was not one direct hit/result for CustomDescriptionRule in any of the major search engines (it really makes you fell alone in the world, when there is no info out there about the current research topic :)  ).

So what does it look now, after just 30m of posting it (I actually bet that Google got there sooner, but I don't have the screenshot to prove it).

Here are google's results:

Adding Custom Descriptions and Content to Fortify using the RulePack's CustomDescriptionRule element

After Cat.Net and Checkmarx, the next TeamMentor integration target is HP's Fortify

The idea is to add references and cross-links between Fortify results and TeamMentor Guidance. Since that way we get the best of both worlds: 
  • SAST Findings
  • Targeted and customised Security Guidance
I'm currently using the 5.16 version of Fortify which contains a nice Rule Editor that can be used to create well formatted RulePack files (this tool also as a nice wizard to help with the creation of 'proper' custom rules (for example to map out new Sources or Sinks)):

Tuesday 6 August 2013

Using XMLDecoder to execute server-side Java Code on an Restlet application (i.e. Remote Command Execution)

At the DefCon REST Presentation we did last week (see slides here), after the Neo4J CSRF payload to start processes (calc and nc) on the server demo, we also showed how dangerous the Java’s XmlDecoder can be.

(tldr: scroll to the end of the article to see how to create an XML file that will trigger an reverse-shell from an REST server into an attacker's box)

I have to say that I was quite surprised that it was possible to execute Java code (and start processes) from XML files!

Abraham and Alvaro deserve all the credit for connecting the dots between XMLDecoder and REST.

Basically what happens is that the Java’s JDK has a feature called Long Term Persistence which can be used like this:

Neo4J CSRF payload to start processes (calc and nc) on the server

The first demo that we showed at the DefCon REST Presentation was how to use CSRF to exploit the Neo4J remote code execution feature (provided by groovy).

The reason CSRF was used, is because by default, the REST API that allows the web UI to pass a groovy script, is only available on localhost.

Abe and Alvaro's concern (and the reason we showed this in action) is that a considerable number of Neo4J admins fail to read the guidance provided here:

Back in London from DefCon and ALL research materials are now available on GitHub

The DefCon presentation on REST Security and Exploitation went great :)

The slides and demos worked out ok, there was a good crowd, and there was lots of great iterations/reactions from the attendees:


Monday 5 August 2013

Can you join us for lunch?

With this simple words me and OWASP's Joanna had a great lunch with two complete strangers (to us) at DefCon 21.

We were going into a local restaurant at Rio's hotel when they (a couple on first trip to DefCon) asked us to join them. They said that they wanted to meet new people and we looked decent enough :)

They were both from LA. He was was the director of a local web development company and she was a lawyer.

The conversation was wide ranging, and it was great to hear how he used to work for a financial company (doing financial analysis for tech acquisitions), but quit due to the lack-of-values and wrong-motivations in that world (i.e he left the dark-side).

What he has found is that our community (software development, hackers, web app security) is a much more value-based world/society, with a lot more of 'good people'

Courage is a series of baby-steps that are taken in two-acts (and 'what should my friend do?')

During DefCon, I had a number of people I really admire, saying how much they respect my 'courage'.

Namely the efforts that I put into the O2 Platform, and how I was able to create a world where I have a huge degree of freedom, with most of my activities happening on the interwebs (from code in GitHub to blogging about anything I want (i.e. these days I expect SI to read my blog, and don't give advance warning before I write a new post))

The reality is that it is easy to over-estimate the effort required to have 'courage', and to over-value the amount of  'real courage' that is actually needed (specially when even 'big changes' are done in baby-steps)

For example, one of my really good friends, is stuck in a 'good job', which pays him very well, but is not allowing him to follow his passion, and ultimate fulfil his potential.

My friend (he knows who he is) says that I (Dinis) am very 'courageous', but what I would like to say to him, is that 'it is not that hard' :)

Day 5 - DefCon 2013 - roundup of what happened

Since my Day 1 post, a lot has happened and I'm finally on the way home.

After all the adrenaline, my brain is starting to shutdown so here is a brain dump of the highlights of DefCon 21: