ViewStateUserKey to prevent XSRF (CSRF or cross-site request forgery) in ASP.NET
ViewStateUserKey has been around for many years and is an easy solution to prevent the infamous XSRF or cross-site request forgery class of attack. It’s documented:...
View ArticleIIS 6.0 %uNNNN unicode notation in the URL
I do a lot of web app pen testing. Character encoding is always an important part of many input validation test cases. Some people don’t realize that IIS takes straight unicode notation in the URL by...
View ArticleInternet Explorer whitespace-as-comment hack to bypass input filters
When testing for XSS (cross-site scripting) issues, you often need to bypass filters and perform different sorts of encodings and other trickery. To be a good tester you also need to know how the...
View ArticleTo fuzz or not to fuzz web services…
Is it worth the time to run input fuzzing tests against web services? When engaging a client for a security review I’m often the one to pose this question. Sure, why not… right? Well honestly there’s a...
View ArticleWeb Services denial of service attacks – XmlTextReader
Most Web Services I look at are built using the .NET Framework and ASP.NET. Today we’re seeing more with ASP.NET’s AJAX extensions but that’s a different story. Many developers choose to implement SOAP...
View ArticleNew risks for old credentials
I was playing around with my Tivo this weekend and realized that many of the new features being offered on Tivo are handy but leave valuable information stored on your Tivo. How so? Well, Tivo now...
View ArticleWhatever happened to?
One of the most useful sites on the Internet was the Ports Database at http://www.portsdb.org Unfortunately it went missing over a year ago and has not returned. The best alternative I have found is...
View ArticleUsing ASP.Net session handling with secure sites (set the secure flag)
One of the common problems we see with many web applications is reliance on ASP.Net sessionID without understanding the security ramifications. ASP.Net provides web developers with a powerful means of...
View ArticleOpen redirects – what’s the problem?
Been getting this question a bit lately. First off, what's an open redirect? It's a function in your application which sends the user to some other location. The redirect could be a response from the...
View ArticleHandling Unicode when marshalling from .Net to a platform invoke
By default, the .Net runtime will marshall a string (and files in a value type) as a LPStr to a platform invoke (p/invoke) function. By default the .Net framework and runtime handles strings as UTF-16....
View ArticleHow safe is the safecrt handling of formatting strings?
One rule of thumb in c/c++ is that you should never let the user be in control of a formatting string. This has been recognized as a security bug for years, and one that has been mostly cleaned up...
View ArticleIE Shortcuts for debugging 3rd party applications..
This is mostly a reminder for myself. But here are some useful shortcuts/tips for working in IE. CTRL-I : brings up the favorites menu, this is useful on those pop-ups that dont have upper menus to...
View ArticlePowershell Grep
So, I spent a good couple of hours today trying to find a easy solution to the lack of Grep on windows. I've tried using findstr but the output gave me a headache trying to parse it. So I decidied to...
View ArticleuseUnsafeHeaderParsing = what?
As software security people we usually like input restrictions to be tight. With .Net's HttpWebRequestElement.UseUnsafeHeaderParsing Property you can loosen up the way HTTP requests get parsed....
View ArticleLet me see that certificate a little more closely. Part 1 – Validating the...
If you are developing a client to a server service that communicates over SSL such as a Web Service then it is your job to ensure your server is the "real deal" and not some rouge server or...
View ArticleCisco Type 7 is as bad as you can possibly get.
I always love learning cool new little features in the software I use. In this case, my coworker Ramsey came across a great Blog (http://blog.ioshints.info) on Cisco IOS and we picked up a new trick...
View ArticleUnicode formatter characters lead to cross-site scripting in popular browsers
I'll be discussing some of the issues recently reported to Opera, Apple, and Mozilla at the 32nd Unicode Conference in San Jose next week. We discovered some issues with the way certain Unicode...
View ArticleGenerating test cases for Unicode-enabled software
When it comes to Unicode implementations, there’s a rich set of test cases to perform. Realizing it is the start. Automating it is the next step. At a high-level Unicode-related security bugs can be...
View ArticleWatcher security tool for web applications
Watcher is being released under an Open Source license. With over 30 checks in its first release, it helps you find issues in your web-apps fast and effortlessly. Watcher is a Fiddler plugin that...
View ArticleEric Lawrence introduces Watcher tool at MIX09 Conference
I'm happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence announced our Watcher tool at MIX09 today. Check out his talk at http://videos.visitmix.com/MIX09/T54F it's an eye opener...
View ArticleWatcher v1.1.0 released
We've made some significant improvements to the Watcher web security and compliance auditing tool in version 1.1.0. Some new checks have been added, bug fixes, and performance improvements. I wanted to...
View ArticleUnibomber tool for specialized XSS testing
John Hernandez has been working hard at Casaba to build a specialized testing tool that automates some of the unique techniques we use to find cross-sites scripting bugs (XSS). At Black Hat I'm...
View ArticleMicrosoft CCI Framework for Deobfuscating .Net binaries. (Part 2)
So yesterday I talked a about using CCI to remove attributes from .Net binaries. Specifically the SupressIldasm attribute. I promised I’d put up some more code highlighting the framework’s benefits. So...
View ArticleWatcher 1.3.0 released
A new update to the Watcher passive vulnerability detection and security testing tool has been released. Watcher is an open source addon to the Fiddler Web proxy that aids developers, auditors, and...
View ArticleWatcher 1.4.0 released
A new update to the Watcher passive Web-vulnerability scanner has been released. Based on user feedback we’ve built out the Wiki documentation on Codeplex with more details about the issues identified...
View ArticleWe’re Hiring: Application Security Consultant and Researcher
Want to put your security research skills to the test in Seattle? We’re looking for junior and senior appsec consultants and vulnerability researchers to join Casaba – good work/life balance, salary...
View ArticleList of characters for testing Unicode transformations and best-fit mapping...
I’m attaching two CSV files for use in test cases and tools. The uni2asc.csv contains all of the Unicode characters that map to something ASCII < 0×80. The bestfit.csv contains all of the known...
View ArticleX5S V2.0…. its coming!
So, It’s been awhile since we’ve done any public updates to X5S. Over the last year, I’ve improved the algorithm and process significantly. Be on the look out, it should be released within the next...
View ArticleXML Hell presentation at Blue Hat v11
At Microsoft BlueHat v11 I’ll be delivering an internal-only briefing along with Matt Swann. While I can’t go into the confidential details of the talk, there are some things I want to mention that...
View ArticleMicrosoft “Roslyn” based REPL injection.
Microsoft recently released their new Compiler API codename “Roslyn”. If you haven’t checked it out yet you should. Here’s the link: http://msdn.microsoft.com/en-us/roslyn/. I wanted to get my hands a...
View ArticlePorting Watcher checks to ModSecurity rules!
Earlier this year, Ryan Barnett at TrustWave’s Spiderlabs started porting some of Watcher’s checks to ModSecurity. After we chatted about this, I decided to get involved. We always liked the idea of...
View ArticleToor’n to San Diego for some MS-SQL post-exploitation
A little over a year ago I presented at SOURCE Seattle about SQL post-exploitation; discussing things that are still possible in the MS-SQL environment, as well as those techniques that people seem to...
View ArticleQuick HTTP data extraction with Fiddler
FiddlerScript provides a good mechanism for quick n dirty tasks. Sometimes you just need to grep a pattern from a Web application and log it while you’re moving through the site. There are a number...
View ArticleWipe cookies with a custom Fiddler rule (and menu item)
Sometimes there’s a need to simply wipe all the cookies from an HTTP request. Maybe you want to re-issue a request without cookies, or maybe you want to browse a list of URLs to test that...
View ArticleClik here to view.
New Watcher rule for custom-defined pattern matching
The passive Web-application vulnerability scanner Watcher has been updated with a new check that allows you to define a custom pattern in the form of a regular expression. Each incoming HTML,...
View ArticleCanSecWest 2013 and more MS-SQL Shenanigans
Once again I’ll be taking the SQL-show on the road, this time up to Vancouver, BC for CanSecWest 2013. My talk will focus on the methods and mayhem that can be had in a MS-SQL post-exploitation...
View ArticleClik here to view.
Everyone sucks at SSL (Part 1)
MSRC 271804 (Woops) In light of MSRC 2718704, released by Microsoft in mid-June, brings to light a glaring, obvious and known problem with current SSL certificate validation and its overarching...
View ArticleClik here to view.
Follow-up: Setting Up the SQL Development Environment
Since my talk at ToorCon in October, a few questions have come in asking how to compile the xsproc sources I released earlier. Just to make things easier on everyone (mostly me), I’ve decided to post a...
View ArticleSQL Post-exploitation: Protections and Mitigations
Several questions have come up since giving my presentation in October at ToorCon; a lot of people want to know what they can do to protect themselves from the attacks I’ve outlined and what sort of...
View ArticleClik here to view.
Hot patching WinINET to access HTTPOnly cookies via InternetGetCookie
Preface: by removing these checks for HTTPOnly you are making cookie management less secure within the process. This is for testing/tools only and I DO NOT recommend doing this unless you’re absolutely...
View Article
