XSSDetect: Tool for finding Cross Site Scripting bugs

About a month back, ACE Engineering released “XSSDetect“, a stripped down version of the “Code Analysis Tool for .NET code bases (CAT.NET)”. A Cross site scripting (XSS) vulnerability exists in a web application whenever user controlled input, without proper validation or encoding is echoed back to the browser. To find XSS (and other injection flaws)…

2

Block Ciphers: Simple attack on ECB mode

This is nothing new, but I just wanted to document it on my blog. Block ciphers encrypt data in blocks of bits. These blocks are generally 64 or 128 bits long. In the ECB (or Electronic Code Book) mode, each block is encrypted independently of the other blocks. As a result if two blocks are…

0

ClubHACK 2007: I will be presenting some “Subtle Security Flaws”

In its own words, “ClubHACK is one of its kind hacker’s convention in India which serves as a meeting place for hackers, security professionals, law enforcement agencies and all other security enthusiasts.” At ClubHACK, I will talk about some interesting and subtle security flaws found while assessing business applications, which principles were not followed that…

0

The Unbreakable Cipher

The concept of perfect secrecy is that given the cipher text, and any resources and amount of time, the adversary has no way of getting to the plain text. Having the cipher text makes no difference and provides absolutely no additional information. The adversary can try a brute force approach, by trying each and every…

3

Common Authorization Vulnerability in Thick Client applications

Consider the following architecture for an intranet application. A thick client installed on the user’s machine connects to a web service which in turn connects to the database. The web service authenticates the caller using windows authentication. It connects to the SQL Server using a fixed identity.     The vulnerability occurs if authorization controls are…

0

Browser Security: Why you can’t get the file that the user doesn’t want you to get?

In the year 1995, there were eight options for the “type” attribute of the “input” element. These were “CHECKBOX”, “RADIO”, “HIDDEN”, “TEXT”, “PASSWORD”, “IMAGE”, “RESET” AND “SUBMIT”. The “FILE” option was added later on to the HTML DTD (Document type definition) to allow for users to upload files to the web server. Internet Explorer 3.02…

1

Catch the security flaw: Configuring encryption from Web Server to SQL Server

I assess software security for a living, but I almost missed this one. <connectionStrings>     <add name=“Conn“ connectionString=“server=server1; database=database1; Integrated Security=True“ Encrypt=“True“/> </connectionStrings>    This connection string was being used in an application that stored confidential data in the database. The data should have been encrypted on the network (from the web server to the…

0

SQL injection: Dynamic SQL within stored procedures

Most resources on the internet concentrate on dynamic SQL in the data access code as the cause of SQL injection. Although lesser known, SQL injection is also possible if the stored procedure itself constructs dynamic SQL and executes it with the “exec” or “sp_executesql” statements. This is in spite of using parameterized input in data…

3

How To: Run Sql Server Agent and Sql Server Jobs with least privilege in Sql Server 2005

How to: Run Sql Server Agent service under an account which is not a member of the local administrators group 1.       Add the account under which you want to run the Sql Server agent service in the SQLServer2005SQLAgentUser$ComputerName$MSSQLSERVER group. This group is pre-configured with all the required permissions to run the service. Make sure the…

7