Scary Beasts Security
NOVEMBER 24, 2008
It's time to write some coherent details about "cookie forcing", which is the name I've given for a new way to attempt to break into secure https sessions. This is surfjacking to the max - attacks an active MITM (man-in-the-middle) can attempt against an https application that follows best practices like marking its cookies secure; avoiding XSS and XSRF; etc.
Scary Beasts Security
DECEMBER 17, 2008
and a reappearance of the "302 redirect trick". Here's the second bug from my PacSec presentation, and it's another Firefox one; kudos to the Firefox security team for their responsiveness. It's fixed in the recent 2.0.0.19 and 3.0.5 releases. It involves, yes, a cross-domain tag. These remain a horrible wart in web app security; you have to make sure that any authenticated resource on your domain either does not have any side effects when parsed / executed as JavaScript, or is CSRF protected.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Scary Beasts Security
DECEMBER 18, 2008
Opera 9.63 was just released with some security fixes. I reported one of these issues, but neither myself nor Tarquin (a super friendly and knowledgeable Opera security guy) could do anything significant with it, despite feeling uneasy about the feature. The issue is this: when an SVG image is included via an tag, it is standard practice to disable running of JavaScript in that context.
Scary Beasts Security
NOVEMBER 18, 2008
Up-front credit to my colleagues Filipe Almeida and Michal Zalewski who led the way in E4X security research. If you haven't heard of E4X, or don't know why Firefox's E4X support should scare you, please consider reading this article. I've just released details for a recently fixed Firefox XML injection bug. It's one of those bugs that is in search of a good exploitation opportunity.
Advertisement
How many people would you trust with your house keys? Chances are, you have a handful of trusted friends and family members who have an emergency copy, but you definitely wouldn’t hand those out too freely. You have stuff that’s worth protecting—and the more people that have access to your belongings, the higher the odds that something will go missing.
Scary Beasts Security
NOVEMBER 17, 2008
Here's the first bug with full details from my PacSec presentation. It's fixed in the recent Firefox 2.0.0.18 update. Firefox 3 was never vulnerable. In a nutshell, decent modern browsers permit you to read the pixels from an image by rendering images to a and calling the Javascript APIs getImageData or toDataUrl. Therefore, cross-domain checks are required on the usage of these APIs.
Scary Beasts Security
NOVEMBER 16, 2008
My recent PacSec presentation (with Billy Rios), entitled "Cross-domain leakiness", is now online. You can view it via this link. There's a new way to attack SSL-enabled web apps in there ("Cookie Forcing"); a bunch of serious browser cross-domain thefts (many not yet disclosed); and attacks against the paranoid one window / one tab browsing model. The slides by themselves are a little sketchy on detail.
Cyber Security Informer brings together the best content for cyber security professionals from the widest variety of industry thought leaders.
Scary Beasts Security
AUGUST 30, 2008
Browsers suck. We're building our fortified web apps on foundations of sand. A little while back, I was talking with Jeremiah about an interesting attack he had to determine whether a user is logged into a given site or not. The attack relies on the target site hosting an image at a known URL for authenticated users only. It proceeds by abusing a generic browser cross-domain leak of whether an image exists or not -- via the onload vs. onerror javascript events.
Scary Beasts Security
AUGUST 29, 2008
This post is a tribute to the hundreds of bugs that never quite were serious, and the emotional roller coaster ride on which they take researchers. Some brief background. The skill in finding serious bugs these days isn't in being a demon code auditor or a furious fuzzer; there are thousands of these. The skill lies instead in finding a piece of software, or a piece of functionality, that has the curious mix of being important yet not having seen much scrutiny.
Scary Beasts Security
AUGUST 25, 2008
As browsers gain more and more features, the possibility increases for interesting or dangerous interactions between these features. I was recently playing with a couple of new browser features -- and SVGs -- and found a cross-domain leak in the development version of Webkit: [link] Fortunately, no production versions of the major browsers are affected - and forearmed with this information, they can keep it that way.
Scary Beasts Security
JULY 31, 2008
libxslt is an interesting attack surface; there are various places in which it is used to process untrusted stylesheets. This includes some browsers, although namespace issues seem to prevent the affected code from being reached in a browser context. Within libxslt itself, there are some built-in functions. These are usually a fruitful place to look for vulnerabilities, particularly those that take integers etc.
Advertiser: Revenera
In a recent study, IDC found that 64% of organizations said they were already using open source in software development with a further 25% planning to in the next year. Most organizations are unaware of just how much open-source code is used and underestimate their dependency on it. As enterprises grow the use of open-source software, they face a new challenge: understanding the scope of open-source software that's being used throughout the organization and the corresponding exposure.
Scary Beasts Security
JULY 29, 2008
Oh what a fun day I just had piecing together a few SSL changes for vsftpd! Let's start with a brief background on SSL. SSL provides not just secrecy but also integrity - an attacker cannot change your data stream in flight. This includes obviously changing data in the stream, and less obviously, truncating the stream. The interesting attack to truncate the stream is to fake a TCP packet with FIN set.
Scary Beasts Security
JULY 14, 2008
Sorry for the lame vuln. It's something I was playing with over a year ago and I just happened to notice it got fixed. I forget what the original deal was. I'm only posting because this blog serves as an RSS feed for the scary.beasts.org main vuln list. [link] A more interesting OpenOffice observation is in the works.
Scary Beasts Security
JULY 13, 2008
So you think you're 1337? Check out these just released details of a buffer overflow in bzip2: [link] It looks pretty harmless, and it probably is. but I'd love for it not to be. if you think you have what it takes.
Scary Beasts Security
JULY 11, 2008
This story is both interesting and boring at the same time. Boring because I didn't find anything new -- I just noted the applicability of something old to Apple's Safari. I've made sure to credit the finder of the old bug that applies to Safari; unfortunately not everyone in the security industry credits the original finder of the bug when noting it applies to a new context.
Advertisement
The healthcare industry has massively adopted web tracking tools, including pixels and trackers. Tracking tools on user-authenticated and unauthenticated web pages can access personal health information (PHI) such as IP addresses, medical record numbers, home and email addresses, appointment dates, or other info provided by users on pages and thus can violate HIPAA Rules that govern the Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates.
Scary Beasts Security
MARCH 5, 2008
The technical details for this pair of vulnerabilities can be found here: [link] These vulnerabilities follow on from my original advisory in this area: [link] There are lots of interesting sub-stories here. The first is that exploitation of the heap buffer overflows (in both the old and new advisories) relies on that fact that the JDK environment has a SEGV handler installed.
Scary Beasts Security
FEBRUARY 27, 2008
Given the huge amount of attention given to xpdf (and derivatives), it is surprising that not as much attention has been given to Ghostscript. Most Linux desktops will render both PDF and PS files directly from the web. The attack surface of Ghostscript is huge. Not only is it a Turing Complete language[*], but it has a rich set of runtime operators and APIs.
Scary Beasts Security
FEBRUARY 13, 2008
Well no, not really. Almost all real-world usage of FTP over SSL has problems whereby the FTP data connection can be stolen (resulting in stolen downloads or forged uploads). The problem is mainly with FTP clients - if you require end users to generate their own SSL certs and manually enable sending them to the server, you've already lost on usability grounds.
Scary Beasts Security
FEBRUARY 2, 2008
Sun released JDK6u4 which fixes a possibly nasty issue where one of the XXE protection methods for the default XML parser was broken. My advisory is at [link] Sun's advisory is at [link] Secunia picked it up at [link] Web services are obviously a key concern here. I haven't checked to see how the common web service frameworks do XXE protection. It's possible to ban DTDs outright, but I'd suspect more common would be to use the broken parser property [link] I'd love feedback on specific affected
Speaker: Blackberry, OSS Consultants, & Revenera
Software is complex, which makes threats to the software supply chain more real every day. 64% of organizations have been impacted by a software supply chain attack and 60% of data breaches are due to unpatched software vulnerabilities. In the U.S. alone, cyber losses totaled $10.3 billion in 2022. All of these stats beg the question, “Do you know what’s in your software?
Scary Beasts Security
NOVEMBER 21, 2008
When I talk to a lot of security researchers or paranoid types, it's very common to hear them describe how they very carefully access their bank account or personal GMail etc. Generally, the model used is to launch a separate browser instance, and navigate straight to an https bookmark. The session remains single-window, single-tab. It's a powerful model; the intent is to eliminate the chance of another (http) tab being a vector for owning the browser, or more likely abusing a cross-domain flaw
Expert insights. Personalized for you.
56 
Let's personalize your content