MD5 breached… Collission Attacks Possible
A presentation at “25th Annual Chaos Communication Congress” in Berlin on December 30th 2008, proved the possibility of Collission Attacks. What does this mean ? Certification Authorities using MD5, could cause a problem.
Read the full story at MD5 considered harmful today.
If you take security seriously…
and you program in .Net then the following tools are must…
Microsoft Anti-Cross Site Scripting Library V3.0 Beta -
AntiXSS 3.0 helps you to protect your current applications from cross-site scripting attacks, at the same time helping you to protect your legacy application with its Security Runtime Engine.
The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique — sometimes referred to as the principle of inclusions — to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include: - An expanded white list that supports more languages - Performance improvements - Performance data sheets (in the online help) - Support for Shift_JIS encoding for mobile browsers - A sample application - Security Runtime Engine (SRE) HTTP module.
Microsoft Code Analysis Tool .NET (CAT.NET) v1 CTP - 32 bit
CAT.NET is a binary code analysis tool that helps identify common variants of certain prevailing vulnerabilities that can give rise to common attack vectors such as Cross-Site Scripting (XSS), SQL Injection and XPath Injection.
CAT.NET is a snap-in to the Visual Studio IDE that helps you identify security flaws within a managed code (C#, Visual Basic .NET, J#) application you are developing. It does so by scanning the binary and/or assembly of the application, and tracing the data flow among its statements, methods, and assemblies. This includes indirect data types such as property assignments and instance tainting operations. The engine works by reading the target assembly and all reference assemblies used in the application — module-by-module — and then analyzing all of the methods contained within each. It finally displays the issues its finds in a list that you can use to jump directly to the places in your application’s source code where those issues were found. The following rules are currently support by this version of the tool. - Cross Site Scripting - SQL Injection - Process Command Injection - File Canonicalization - Exception Information - LDAP Injection - XPATH Injection - Redirection to User Controlled Site.
And I highly recommend reading MS08-078 and the SDL. and subscribing to SDL (Security Development Lifecycle)’s RSS feed.
ASP.Net, Ajax, JQuery, Web Services - Great tools, but wait…
All of us or most of us heard that Microsoft is supporting JQuery. And now we have a host of bloggers blogging on how to use JQuery with ASP.Net. Everything sounds and looks fantastic. But wait, give it a second thought.
I don’t want to specify any one person’s blog or article so I am not giving out the URL. On a certain blog I read how to send a email using asp.net webservice and jquery. Unfortunately, we are exposing the URL of the Web Service and just write a simple program and start pumping out emails.
I am just trying to warn you guys, just because something can be done using client side javascript or because something looks cool, don’t jump on to it. Think about the security and what information you are exposing in the client side code.
JQuery is a great javascript library in fact I love it, I used it even before Microsoft anounced its support, I like the library, but please don’t misuse it.
ASP.Net, Ajax, JQuery, Web Services - Great tools, but wait…
B2B Communication and Securing them
For B2B Communications and that too if we want it to be near real time Web Services are best. Now for the sake of discussion lets assume a certain business A provides a Web Service and business B
consumes the Web Service. If the data is not critical, then we don’t need any sort of security it can be on plain HTTP. But what if the data needs to be secure and encrypted ? The Web Service can be on HTTPS. Now what if the client also needs to be authenticated ? Each client can be issues a specific random guid and ask them to send that guid as a part of the communication. But wait what if the guid is leaked out, or some one tried playing around and found a valid guid ? The next step is to use Client Certificates. Now these Client certificates can be used for authentication. OK, but how do we use Client Certificate ?
There are two ways in which we can use Client Certificates:
1) Configure IIS to terminate connections which don’t use a Client Certificate, or even go ahead and specify which client certificates are accepted, so if a request comes in with a client certificate and it is not in the list of accepted Client certificates, the connection is terminated in IIS.
2) Do the same in code.
I plan to do 3 articles on how to configure IIS, how to use code and discuss more about Client Certificates in future articles which would be published within the nest 10 days. Stay tuned.
A SQL Injection Attack Attempt - An Investigation
This morning I found 3 very peculiar entries in my websites Weblog. All 3 look like the following:
SOME_URL_ON_MY_SITE?;DECLARE%20@S%20CHAR(4000);SET%2…. For now forgive me for not showing the complete entry. First I was very worried, is my website hacked ? I am still able to login and view posts. OK, ma be the attack was not successful. I thought I would leave for work and worry about this later. Did I say all 3 of these are from the same IP address ?
This evening after I returned from work I found 2 more such entries but from a different IP. This is when I started getting more curious. I found that these 2 IP addresses from where they tried to hack my blog are from China. I did a WHOIS lookup on these 2 IP addresses and strangely found them belonging to same organization. I googled for the organization and found it to be a ISP provider in China.
Next I started looking into the code the attacker tried inserting a js file into webpages. I tried opening that js file, but firefox warned me its a malicious site. Yes, I know that, but I am interested in looking at the js file.
Firefox Warning Message
So I clicked ignore this warning, but unfortunately I got “Network Timeout“, “The server at SERVER_NAME is taking too long to respond.”
So, I clicked Why was this site blocked ? and got the following info:
Has this site acted as an intermediary resulting in further distribution of malware?
Over the past 90 days, www3.800mg.cn/csrss/ appeared to function as an intermediary for the infection of 142 site(s) including winezap.com, nitevibe.com, clarkstationery.com.
Has this site hosted malware?
Yes, this site has hosted malicious software over the past 90 days. It infected 333 domain(s), including rupalisite.com, bsmhoustonarea.org, pdxguide.com.
