Yesterday's ISSA (Information Systems Security Association) LA chapter's monthly member meeting was highlighted by Jeremiah Grossman's presentation on Hacking Intranet Websites from the Outside and Best Practice Security Measures . Stan Stahl of Citadel information security group and president of ISSA-LA chapter invited us to this lunch meeting which was very informative from development and architectural perspective. I along with a few work colleagues attended and immsensely enjoyed it.
Jeremiah is CTO of white hat security and a security enthusiast. In a brief conversation with him about CAPTCHA's effectiveness, he summarized it as "bad guys are winning". By using promiscuous websites as CAPTCHA validation engines, they have created a mechanical turk to avoid the bot detection; and of course the OCR's are getting better and better too. In response to another question about blocking IP's for suspicious activity, he mentioned that intelligence based on IP is not a bad solution but in presence of anonymity engines like Tor, its not quite deterministic and should be used with care. The CTO of White hat security mentioned Cross-site request forgery as one of the biggest up coming threats which is getting more and more press.
The presenter listed the following as his top 10 web 2.0 vulnerabilities list and provided samples during his demo about each of these. Here is an excerpt from his blog. Check out the fill list on his blog.
- Web Browser Intranet Hacking / Port Scanning - (with JavaScript and with HTML-only and the improved model)
- Internet Explorer 7 "mhtml:" Redirection Information Disclosure (PATCHED)
- Anti-DNS Pinning and Circumventing Anti-Anti DNS pinning
- Web Browser History Stealing - (with CSS, evil marketing, JS login-detection, and authenticated images)
- Backdooring Media Files (QuickTime, Flash, PDF, Images, Word [2], and MP3's)
- Forging HTTP request headers with Flash
- Exponential XSS (Multi-site propogation)
- Encoding Filter Bypass (UTF-7, Variable Width, US-ASCII)
- Web Worms - (MySpace, Xanga)
- Hacking RSS Feeds
Here is a link to his earlier talk this year. From a .NET developer's point of view, effective usage of framework features to avoid XSS was highly recommended. Most of these issues would be covered by following the OWASP top 10 list best practices however web developers should also be at least aware of exploits which are beyond their control and are more browser/platform dependent (item 3, 4, 5 and 6 on the list) so they will be able to respond with a contigency plan in case of any such compromises.
With Ajax talking directly to web services, the risk of attack is on the rise. Here are multiple videos about Ajax Hacking (and prevention using ASP.NET)
References: