Monday, February 16, 2009
Second XSS and Milw0rm Submission
Well, I found my second XSS vulnerability and now it is up on milw0rm! This is a persistent XSS vulnerability which makes it that much more damaging. The link is posted up on the "Milw0rm Submissions" sidebar. I am still waiting for the first XSS vulnerability that I discovered to be patched, but I'm still on the hunt for more!
Passed My C|EH
I just got back from taking my test and I can now say I am an official Certified Ethical Hacker (C|EH)!
Thursday, February 5, 2009
Security Rant
I have something that I feel needs to be said about security in regards to companies and patches. I think most everyone who would read this would agree with me, and I hope in that respect we can get more people to push the subject along so here I go.
Patches, bugs, vulnerabilities oh my! Everyday you obviously hear about a new vulnerability in one piece of software or a bug in the next. It would be nice if these were gone, but obviously that is just not practical. Software manufactures need to take a stronger interest in secure coding, but they are never going to find everything, so what do they do? Release patches of course!
Now I am not downplaying patches, I love them, they are great. Fixing a hole in a piece of software that can "execute arbitrary code" should be on the top of everyone's list, but how do we know of these patches? Now we as security researchers, we usually find the vulnerability first and then wait adamantly until we see they have released the patch. But what about the ones we don't see? What about the patches that are released and we don't know about until it is too late?
I think companies need to invest a stronger interest in letting their customers know when a patch is released. I know certain software has "auto-updates" but what about server software? I know of too many companies that release patches and just have an advisory on their site which contains a link to the patch. This is not just for commercial software, as most of you know open source software is this way as well. What is wrong with this? THE PATCH "DISCOVERY" IS LEFT UP TO THE PERSON IN CHARGE OF RUNNING THE SERVERS AND CLIENT SOFTWARE!! Now grant it, they should be looking for updates to the software and properly testing it before pushing it out. I am also sure that most, if not all, of us also know that with any mid-sized company there can be so many different pieces of software running that is simply isn't practical to be looking every single day for "possible" patch that has been released.
What is my proposed solution? Something simple and effective: E-mail! Tell me that you wouldn't love to be able to set up an e-mail account called "patches@~insert company name here~" and automatically be notified by all of the different companies in one central place when patches for your software is available!
In my opinion, this is an issue that defiantly has to be addressed. If this would become the norm and if a company is compromised, they have no one to blame but themselves and can't play the "Oh I didn't know about that" game.
Anyone have any other ideas? Put them in the comments.
Patches, bugs, vulnerabilities oh my! Everyday you obviously hear about a new vulnerability in one piece of software or a bug in the next. It would be nice if these were gone, but obviously that is just not practical. Software manufactures need to take a stronger interest in secure coding, but they are never going to find everything, so what do they do? Release patches of course!
Now I am not downplaying patches, I love them, they are great. Fixing a hole in a piece of software that can "execute arbitrary code" should be on the top of everyone's list, but how do we know of these patches? Now we as security researchers, we usually find the vulnerability first and then wait adamantly until we see they have released the patch. But what about the ones we don't see? What about the patches that are released and we don't know about until it is too late?
I think companies need to invest a stronger interest in letting their customers know when a patch is released. I know certain software has "auto-updates" but what about server software? I know of too many companies that release patches and just have an advisory on their site which contains a link to the patch. This is not just for commercial software, as most of you know open source software is this way as well. What is wrong with this? THE PATCH "DISCOVERY" IS LEFT UP TO THE PERSON IN CHARGE OF RUNNING THE SERVERS AND CLIENT SOFTWARE!! Now grant it, they should be looking for updates to the software and properly testing it before pushing it out. I am also sure that most, if not all, of us also know that with any mid-sized company there can be so many different pieces of software running that is simply isn't practical to be looking every single day for "possible" patch that has been released.
What is my proposed solution? Something simple and effective: E-mail! Tell me that you wouldn't love to be able to set up an e-mail account called "patches@~insert company name here~" and automatically be notified by all of the different companies in one central place when patches for your software is available!
In my opinion, this is an issue that defiantly has to be addressed. If this would become the norm and if a company is compromised, they have no one to blame but themselves and can't play the "Oh I didn't know about that" game.
Anyone have any other ideas? Put them in the comments.
Contacted Back!
I actually got a response back from the company about my XSS vulnerabilities! I'm glad that not all hope is lost with reporting vulnerabilities and that some people take independent security researchers seriously. I have e-mailed them with all of the information they need and once they have reported back to me that a patch has been released, I will be releasing the PoC.
Saturday, January 31, 2009
First XSS Vulnerability Discovery!
I just discovered three non-publicly known XSS vulnerabilities! I contacted the company and I am currently awaiting a response (hopefully they actually get back to me this time). I'll be posting up a PoC on milw0rm as soon as a patch is released. As with my previous discovery, I will either post more information about the vulnerabilities here or in the actual PoC itself.
Sunday, December 7, 2008
Jasager and Airbase-ng Defenses
Mubix has a nice article in his blog about mitigations to Jasager and Airbase-ng attacks. The first part of the article is by Mubix and Ryan Pfleghaar of iamthekiller.net. Then in the second "part" of the blog there is some input by me. You should go check it out at: Jasager: On the Defensive. You should also check out the comments area where I have a little more insite on it as well: rAWjAW's comment.
Saturday, November 8, 2008
Passed the GPEN!
I just got back from taking my test and I can now say I am an official GIAC Certified Penetration Tester (GPEN)!
Subscribe to:
Posts (Atom)
