The OWASP Moderated Application Security News Feed that is edited and compiled by the OWASP team to provide you with only high-quality posts focused on application security.
In some cases users turn off Javascript for some security reasons. HTML has limited scripting, in fact it has almost zero scripting capabilities. Well, that is only true if one discards the FOR attribute on a label element, part of form controls. I talked about this FOR attribute before and how to use it to trick users into uploading files from their computer secretly. Problem was it required Javascript. So I just thought about that FOR attribute, and since it binds a label to another element, it is in fact some sort of scripting right? or at least it's a kind of HTML logic that can be triggered if a user performs something on a element.
Turns out, that it's possible to submit forms with it, without Javascript. Useful, if you're into CSRF and all that. So what I did was the following: I made a HTML page and created a label and inside the label I placed the BODY of the page, containing HTML and text. Now, interestingly the LABEL and it's content is now the button itself through binding of the FOR attribute only invisibly. So, that means that when you select text or click somewhere inside the body, the binding becomes active, and the instruction to submit a form is executed without any scripting at all.
My only hope is that it doesn't create binding between OBJECTS and LABELS, as stated in the Forms RFC[1] where OBJECTS are also seen as control types along fields, buttons and other form items. That would mean that it would be possible to activate OBJECTS through binding labels to it.
Label binding example:
<label for="action">
<body>
Etymology of "Foo" 1 April 2001 When used in connection with `bar' it is generally traced to the WW II era Army slang acronym FUBAR (`Fucked Up Beyond All Repair'), later modified to foobar. Early versions of the Jargon File [JARGON] interpreted this change as a post-war bowdlerization, but it now seems more likely that FUBAR was itself a derivative of `foo' perhaps influenced by German `furchtbar' (terrible) - `foobar' may actually have been the original form.
When MSIE8 beta 2 launched a few days ago, I took it for a little spin to see if it puts up what it says it does. I'm actually quite happy and surprised with the XSS filter, but one thing is quite concerning in my opinion. I talked with David Ross from Microsoft about it over the weekend and explained my thoughts on slashes being put in vectors to subvert the XSS filter.
Since the XSS filter is signature based, I came up with a simple idea to bypass it in certain situations. I know that many programmers use PHP's function stripslashes() as a kind of automatic reflex on data that comes either from a querystring or data that comes out a database. Since the XSS filter analyzes the query string, it is possible to bypass it if a programmer uses stripslashes or a custom written replace function on requested data. Moreover since many PHP installations still use magic_quotes_gpc() programmers will use stripslashes in order to remove the added slashes, so this scenario is not exotic.
In such cases, the XSS vector passes the XSS filter. Since the XSS filter prevents common programming mistake exploitation, it's likely that those same programmers utilize slash removal functions as a no-brainer as well. So far, this XSS filter is quite nice and it does it's job very good and clean. While it's a minor issue, I really want to see a protection for this issue since it's common occurrence and far from being trivial.
So I had a little fun with my new soundboard I created, starring the famous Dan Kaminski. Yes the DNS dude, for those who don't know him. A soundboard is used for making prank phone calls, which in terms can be hilarious if you get the right victim to fall for it. Otherwise, it's just good old fun. I thought Dan was the right person for my new soundboard. Because, well it's always fun to hear him talk. I have many of his talks on mp3 so it was easy to compile a wide range of sound clips. Just enough for a good, but quirky prank call. So, enjoy. And if you intend to use it, use it with care eh? :)
It is very easy to use. Just click on a text to let Dan rant!
This is just a walk in the park, really. Google's been on their servers before, due to some weird configuration setting. But well, it's nice to look a couple of months later to see what those foxtards actually did to secure it. Nothing right. So this stuff isn't very post worthy and only annoying, but I reckoned it might wake someone up who also serves up 10 year old Perl/CGI files. I mean what is wrong with these people if I can gain access to a huge user database by using my browser? so much for trusting Fox all your personal details! So what I'll do is going through the steps, I won't show the 100K user database because Google already has it. Ask Google, not me. It is probably public domain since 1997.
See, they use the function dbmopen and access a database or directory storing user data because NDBM is enabled. Thing is, you can access that db though your browser pretty simple. Just use: dbname.dir and you'll download the whole dir or dbname.pag to download the pagefile. Or even better: dbname.data for a complete database.
They have old php3 configurations running, giving me complete PHP code access whenever I want to. A screenie below for proof of a simple PHP injection:
Indeed, top secret eh?
Then I got bored, it's so annoying to stumble upon this.
You might have seen the new Apache Tomcat <= 6.0.18 vulnerability found by Simon Ryeo[1]. The vulnerability involved a problem in Tomcat with processing UTF-8 encoded URI's which resulted in a directory traversal and canonicalization issues while mapping the paths. If context.xml or server.xml allows 'allowLinking' and 'URIencoding' as 'UTF-8', directory traversal becomes possible. Curious enough this is pretty much de facto on *NIX systems. Ah the joy of standards! I don't know what is happening at Apache, but Tomcat is quite often vulnerable. It isn't the first time you see.
A short update of developments this week. Let's start with how to impress girls.
I just read some slides from Blackhat, and one that caught my interest was the slides from Mark Dowd and Alexander Sotirov[1]. I guess I don't have to explain who those gentlemen are. Right, now what caught my eye was a mention about the use of verbatim dll pointers in an object. Usually, with ActiveX we load the classid followed by the id that links to the dll. In this case, they just load the dll into the object and that raises no warning in the Internet Zone. Clearly this is some very notable find and certainly material to impress girls with, because I never assumed that that was possible. It shows again that a solution is always in it's environment. It's simple, but brilliant.
That is only one tiny part of the paper, go read it if you are interested. It is a real eyeopener. It covers:
- "Stack Spraying", an alternative method to heap spraying with some additional benefits - Exploiting poor permissions, such as Java's RWX memory allocator, and - Utilizing .NET binaries to map data at an attacker-controlled memory location.
Adobe fixes heap corruption.
Some time ago, I found that the Flash9c.ocx was vulnerable to heap corruption, and that it's possible to overflow the SWRemote property inside the Flash9c.ocx Interface with a very long string generated in VBscript. In my test case it ran for about 30 seconds before crashing and raising an exception, when trying to kill it, it could result in a full system freeze. After updating Flash It seems Adobe fixed this silently in at least Flash9f.ocx. A real bummer for personal research. I cannot reproduce it anymore, because I did not make a copy of Flash9c.ocx for future research. Anyway I learned to make copies now.
Now the interesting thing about this is, I fuzzed all classes in that particular dll without regard if they were considered fuzzable or not. It turns out that, in blackbox fuzzing you can find vulnerabilities that you would not find while fuzzing on assumptions, like COMraider does for example. Secondly, I used two flash objects, or two dll class calls. That made a difference in finding this vulnerability. HD Moore once said that you'll have to know what to fuzz for. This is true in some sense, because it speeds up your fuzzing. But the drawback is, that you cannot encompass all possibilities and quirks. The very vulnerabilities you look for might be not fuzzable without hammering all classes whether they are fuzzable or not, because it turned out that it certainly was in this case.
I got into contact with Sandro from enablesecurity a couple of times before. But the last time I talked with him he gave a very interesting concept that I haven't saw before. He called it: Surf Jacking, HTTPS will NOT save you[1]. Well, what can I say, given the DNS mayhem that is going on lately, this is another hot coal that should be understand by everyone in the security industry before attackers will start to use it in the wild.
Watch the video by Sandro Gauci from enablesecurity demonstrating Surf Jack:
Amateurs hack systems, professionals hack people. -- Bruce Schneier.
Waking up means you stop dreaming, and you wake up into truth. But what happens when you wake up in a prison that you never knew was one? you still have not woken up. Where is your freedom? do you have freedom? It is time to claim back that original freedom and sovereignty they stole from you. Unless you are perfectly happy feeding the hand that bites you. So, for starters let's reverse-engineer law, which is code also.
Now the fun stuff:
Irene Gravenhorst, a human woman living in Common Law jurisdiction, is confronted by a Police Officer in Admiralty/Marine Law jurisdiction. Watch the interaction, and notice that in order for him to convince Irene to sign his "ticket" the Police Officer agrees to a contract with Irene for three billion dollars. remember: this is the case for almost any country including The Netherlands where I live. It is one of the biggest secrets concealed. The artificial you (the all capitalized name) that the government created at your birth, is your legal name and it is not you. It is your straw man. Note that these ideas are pioneered by Jordan Maxwell in 1959. Learn more about Irene here
We are told that we live in a free society. There is no greater test of freedom then being able to leave. In order to understand this idea better, we need to know some words and their definitions. First off, a society is a group of people joined together by mutual consent to deliberate, determine and act for a common goal. Notice how there is no mention of geographical area? Being in a certain geographical area might give you the right to join a society; however it cannot create an obligation to join. See that mutual consent part? Pay attention to it, it will become very important.
Now what is a statute? Is a statute law? The answer is yes and no. It is not the law, but it is a rule, which has the force of law, within a society. Statutes are the laws of a society. Outside of society, they have no effect at all.
I look at society as a house party, not a prison. At this party, there is food and music. We have a system set up which is supposed to determine what music is played and what food is served. This system is supposed to be democratic in nature, where the majority decides. Now if you don't like the food, music, rules of the house, or the system designed to determine those things, you are perfectly free to leave. Maybe in the house (in society) you can't smoke or own a gun. Does this mean you can't do those things once you leave? Of course not! If you are no longer in the house, its rules no longer apply to you. These statutes which governments call laws, are all the laws of the society, or the house. Leave society, and these rules are no longer your laws. Those remaining behind will still have to obey them, you will not. Of course, you won't be able to eat the food or listen to the music (collect benefits), either.
The simple fact is if this is a free society, we have the right to leave. If we do not have that right, it is neither free, nor a society. If our society was a house party, this is what we would see. At the food table, they are serving scraps and crumbs, while we hear them in the back kitchen whooping it up with their supplier friends (bankers). The music is either a Military March or a Polka. The waiters (government workers) are acting more and more like prison guards. There are mirrors everywhere, not enough seats and more than enough smoke. The door leading out of this party has been well hidden and hasn't been opened for a long time. They might have even welded it shut. If we are to have a free society, then every once in a while, someone must leave. This will ensure that people know they are free to do so; someone must guard that door and ensure it opens easily. This will also allow those remaining in the house, to see what it's like outside, without venturing forth themselves. If they decide its better outside, then they too are free to leave.
I intend to leave society. I am not moving physically, either. As a human being born in this country, I have the Common Law right to travel anywhere within it. I also have the right to join or not join societies as I see fit. I cannot be forced to consent. If I refuse to consent, none of the statutes everyone else calls laws will have the force of law with me.
I am leaving this party, not because I reject society, but because I wish to embrace it. I want a good one. One that is as free as can be. I reject the way in which this society deliberates, determines and acts for the common goal. I am not even sure we all have a common goal anymore. Those we elect to provide us with food and music are not doing their jobs. The servants are getting uppity and actually think they are in charge. The stole my family and did so unlawfully. The RCMP refuses to investigate them and the elected representatives are not doing their jobs. I am sick of the rules of this house, the meager portions and the blaring music. I will open this long closed door, stand on the other side and wave at you. I will do things lawfully that you cannot do, for you are still in the house.
When I am outside your society and therefore free of its rules, this does not mean there is no law. I do not claim the right to harm another human being, damage property, engage in fraud or extortion or break contracts. I will follow the Law. I just won't give statutes created by governments the force of law. I will achieve this by constructively denying consent to be governed.
When I see that members of society once again have recourse to the Law and those we elect to 'serve the food' are serving more than they eat, when these statutes are less deceptive and I know that the door outside is wide open at all times instead of being so well hidden, when the servants are acting more like servants, when the portions are bigger and there is less reveling in the kitchen, when the RCMP are abiding by the law and willing to investigate government ministries, then I will consider rejoining.
When you see me traveling down the road in my automobile, exercising my Common Law right to travel, and I do not have a license, know I am not breaking the law. Please don't moan about how we all have to follow the same rules. You are in a society, and I am not. You have consented and I have not. You have benefits that I do not. You are free to give up those benefits for more freedom, just as I will have done. Also, please do not think I am rejecting those staying behind in this society. Like a scout doing recon, I am giving up the security you enjoy, to ensure that you don't lose your freedom. At the risk to myself, I am going outside to see what the weather is like. I am doing it for you. I will come back with a report. My actions will clear much of the smoke, and I might break a mirror or two on the way out.
Do not be angry with me for becoming aware of government deception, or for acting against it. If you insist on being angry then be angry with those who have hidden this door to freedom from you for so long. Be angry with those who tore apart a family and denied citizens recourse to the law. Be angry with the RCMP for refusing to investigate a government ministry just because it is a government ministry. Be angry with your elected representatives for refusing to address crimes within that same ministry. Be angry with them for using so much deception in their legislation. Be angry with the media for constantly referring to new statutes as laws, instead of telling you they are nothing more than the rules of society and that you are free to leave that society if you don't like the new statute.
The freedom you will achieve by me opening this door and leaving society will cost you nothing and it will empower you over those who claim they are your government. If we are to have a free society, this door must be open at all times. There is not one person among you who can lawfully force me to consent to being governed, nor is there one among you who can lawfully apply society's statutes to me when I am outside of society. - Robert Arthur Menard.
