Miscellaneous Security

Reading time: 2 – 2 minutes

Photo: Brajeshwar

If you are a developer, I guarantee that you have written insecure code. Universities train people to write code, but very little time is taken to help them focus on writing secure code.

As with anything, being able to identify security vulnerabilities and writing code securely takes practice. But how does a developer, who is already overburdened with enough work, find the time or resources to help him identify security vulnerabilities?

This is where spot spotthevuln.com comes in.

The purpose of the project is two fold, help developers write better code by enabling them to identify insecure code and hopefully work the project into teaching curriculum’s at colleges and universities in order to help new developers write more secure code.

Here is how the site works. On Monday at 8:00am PST, a piece of vulnerable code is posted. An business week is given to people in order to attempt to identify the vulnerability in the code. On Friday at 8:00am PST, the code fix is shown with a description of what was wrong with the code. All of the vulnerabilities are taken out of open source projects in order to show developers “real-life” scenarios. The fixes are the fixes that were actually deployed.

The whole point of spotthevuln.com is to help developers identify poor development choices when programming. What are your thoughts? Do you think this will help developers? If you are an instructor and would like to work spotthevuln.com into your curriculum, I suggest for you to reach out to spotthevuln.com.

The more developers know about security, the better off we all are.

Reading time: 3 – 4 minutes

Photo: B.G. Lewandowski

Why did you just click that link? Most likely you have came to this site by clicking a link from another site. Why did you do that? Did you trust the person who sent you the link? Did you click a link from Twitter, Facebook, or an email someone sent you?

When you click a link, you are telling your browser, “I trust this person.” However, this is not the way we use the Internet. We click on links all the time. We click on links from “untrusted” sources. We click links from people we don’t know and we even click on URL’s that have been modified. On Twitter, a person is much more inclined to click the shortened link http://bit.ly/5hXRW then they are to click http://somewherebank.com/transfer.jsp?amount=1000&to_account=56777564. Even though the shortened link could redirect to the somwherebank.com site.

But, why would someone trick you into clicking a cleverly disguised link? The site that you are redirected to may seem harmless. It could also be extremely malicious.

What happens if this page, (the one you are currently viewing), was filled with Cross-Site Request Forgery (CSRF) links? This web page could be setup with all types of malicious intent. However, you didn’t know that when clicking the link. Now, it is too late.

If this site did have Cross-Site Requests, I could do things such as:

• Change the password on your Facebook account
• Transfer the money from your on-line bank account to another account
• Enact trades from a financial institution such as E*Trade

The sites that I exploit would have to be vulnerable to CSRF. But researchers, such as Mike Bailey and Russ McRee, are constantly finding CSRF vulnerabilities in web applications.

An example of how clicking links from untrusted sources is never good was demonstrated in Billy Rios and Nitesh Dhanjani, Bad Sushi talk. In their presentation they described sending phishers a word document stating their account numbers were inside. They sent this email to 25 known phishers. 10 of the phishers opened the word document and were presented with this. In addition, there was another link that said, “Actually, my account information is here.” 3 of the 10 clicked on that link. Even the phishers click links they shouldn’t.

What should be done? Who knows. It is human nature to trust people and we can’t get things done if every time someone sends us a link we open up a VMware image to view a link. So continue using the Internet the way you have been and remember, “These aren’t the droids your looking for.”

Reading time: 3 – 5 minutes

Photo: bweech

From previous articles, you should be aware that Cross-Site Scripting (XSS) is an issue that is not going away any time soon.

Unlike it’s buzzword predecessor, SQL injection, Cross-Site Scripting is a difficult vulnerability to quantify. What is the risk of not resolving a Cross-Site Scripting vulnerability in your web application?

If you have recently gone through a web application assessment, the report most likely indicates the risk factor of having XSS is high. But, what evidence does the report writer have to support this statement?

Basic security teaches us that risk can be quantified as:

Risk = (Probability of the event occurring) x (The impact if the event occurs)

To support the consultants statement, we would need to identify the probability of an attacker using a Cross-Site Scripting vulnerability as an attack vector and what the impact is, if the user is exploited.

Impact
It is important to realize that XSS is a means, not an end. XSS is simply a transportation mechanism. It is used to facilitate the actual attack which could be system compromise or stealing a users session. The only limitation on XSS is that it operates in a browser environment.

Do to the numerous things an attacker can do with XSS, it is hard to quantify an impact for all XSS vulnerabilities. Since XSS has different severities in regards to impact, an organization should always choose the impact that is most severe. In other words, the worst-case-scenario.

If a user is exploited through an XSS attack, an organization can assume the attacker is doing the most damaging thing imaginable. Therefore, if a user is compromised from XSS, the impact is high.

Photo: stopnlook

Probability of the Attack Occurring
We have now identified that the impact of Cross-Site Scripting is high. But, what about the probability of it actually occurring?

It is difficult to find evidence of people using Cross-Site Scripting as an an attack vector? There are cases where XSS was used, in conjunction with SQL injection, to insert an offsite iframe into a web page in order to attempt a traditional overflow. Should these attacks be included into the equation for probability of it happening? Since it can be argued that these attacks used SQL injection, and not XSS for propagation, these attacks need to be excluded.

The only evidence I can find is Verizon’s 2009 Data Breach Investigation Report. That document however, doesn’t go into much detail about the specifics of the XSS attack.

Due to the lack of overwhelming evidence, XSS currently is not a common attack method. The probability of a Cross-Site Scripting attack occurring is low.

Cost-Benefit Justification of Fixing Cross-Site Scripting
Since it is difficult to quantify the cost of having an XSS, it is just as difficult to do a cost-benefit analysis on fixing XSS vulnerabilities.

Why should merchants spend money on fixing their XSS vulnerabilities when there is no supporting evidence of attacks occurring?

Until more web applications are compromised through XSS vectors and there is more evidence to support this happening, not much security budget will go towards fixing Cross-Site Scripting vulnerabilities.

Update: StrongWebMail was hacked using XSS. StrongWebMail paid out $10,000 for being breached. This has brought some media attention towards the issue.