Operation n

schneier’s blog discussed the article released recently regarding Al-Qaeda bringing down a criticial internet hub in the UK thereby disrupting the LSE and creating an economical nightmare.

I wonder if this will increase interest in your so called tiger teams.

I strongly believe that for a penetration tester to be effective, he or she must be able to envisage a web application in its entirety as a fundamental pre-requisite.

The Web Site Map template can produce a diagram of your Website structure, showing what is on each page (images, JavaScript, etc.) and how each element connects to all others. Visio allows you to spider an existing Website and creates a map of it for you, including all links and graphics. It even tells you if an image is dead, so it can be handy for error-checking your pages as well. - http://www.sitepoint.com/article/visio-professional-2002

The Microsoft Visio web spider feature can be really powerful. Below are some screenshots:

I am not saying MS Visio is ideal for visualisation of one’s target, I am not even saying that I like it, but I would certainly like to see web spiders for security testing moving in this direction.

Michael Sutton from Spidynamics did some very cool research titled, “How Prevalent are XSS Vulnerabilities” and a follow up article titled, “How Prevalent are SQL Injection Vulnerabilities“. Read more »

Working around Italy this last week got me thinking around bypassing Hotel wired and wireless charged services. Before going into my post I have to say that the cathedral in “Centro” Milan almost brought tears to my eyes, magnificient.

Generally we have two protocols on which to build that do not require authentication to work. The first being ICMP and more interestingly DNS.

It has been known for some time that IP can be encapsulated and transferred via ICMP, this is not new, in fact neither is NSTX (Nameserver Transfer Protocol).

I was practically building up the steps to code a DNS-IP tunnelling application (very useful as many networks allow outgoing DNS but nothing else). The idea was as follows:

1. Server-side Application acting as our external DNS server
2. Client-side middleware to act as HTTP proxy at one end and DNS resolution at the other

I put alot more work into the above including encoding types; however, doing a Google search led me to Thomer M. Gill’s documentation around NSTX and ICMPX.

I haven’t had a chance to explore the code of these projects but it looks really awesome. One of the challenges my conceptual tool faced was how to transfer the data via DNS. NSTX uses the TXT record to do this, of course I thought, smacking myself in the head; great, great stuff. Will have to try this out when I get home :)

Long story short: If you downloaded WordPress 2.1.1 within the past 3-4 days, your files may include a security exploit that was added by a cracker, and you should upgrade all of your files to 2.1.2 immediately. - WordPress.com

This is not the first time such a situation has occured. A number of vendors over the years have had crackers backdoor legimate software. This is a very gloomy day for WordPress indeed. Since I released the Template CSRF exploit for WordPress, we have seen the UTF-7 SQL Injection exploit by Stefan Esser, other XSS vulnerabilities and now a backdoor.

It may be time for me to re-look my WordPress Securify plugin which currently is only recommended for advanced users due to it still being in its BETA phase and may have some issues of its own.