Monday, April 26, 2010

Thotcon Slides - SSL Screw Ups

Here are the slides from Friday's Thotcon presentation on SSL. Great conference! Enjoy the slides.

-Michael Coates

Monday, April 19, 2010

OWASP Top 10 Released

OWASP Top 10 - 2010 has been officially released.  Download the pdf now.

The 2010 Top 10
Lots more detail in the document itself. Make sure to take a look.

Also, towards the end of the document is a section labeled "Additional Risks to Consider". I encourage you to read "Lack of Intrusion Detection and Response"

-Michael Coates

Thursday, April 15, 2010

IE8 XSS Bypass - BlackHat Europe Slides

IE8 and the anti-XSS control has been discussed in several articles and recent posts (here, here and here). The researchers that discovered the XSS issue in the anti-XSS control (ironic huh) presented at Blackhat and the slides are below.

The gist of the issue is that a flaw in the anti-xss control introduce XSS into otherwise safe sites.  Needless to say, this is really bad.

[pics from presenter's slides]

This issue has been fixed by a Microsoft patch. So although there is an attack vector against vulnerable users, this would include people that have upgraded to IE8 but haven't applied recent patches.  I would guess this is not a large number (no data to back that up).

However, the issue does raise a bigger issue, the blacklist approach and sanitation performed by IE8's XSS could introduce XSS vulnerabilities into an otherwise safe site.  That is a scary scenario. As the presenters put it, you shouldn't necessarily disable the XSS protection, but you should be ready to disable if a 0-day against the XSS filter is released.

Slides from the event

A little further analysis on one of the above examples:

I looked into the Wikipedia example. The url is as follows (this will fire in a vulnerable version of IE8)"/wiki/File:Wikipedesketch1.png"class="image"><img alt=

This plays off of the already present code in the wiki which looks like this:

<div class="thumbinner" style="width:222px;"><a href="/wiki/File:Wikipedesketch1.png" class="image"><img alt="x onerror=alert(1) onload=alert(2) y"src="" width="220" height="224" class="thumbimage" /></a>

The anti-xss filter regex fires on the URL and modifies the response. The modified response then changes from benign text to malicious XSS and hence the alert(2) fires.  Interesting stuff. See the presentation for a more in depth description.

-Michael Coates

Monday, April 12, 2010

Presentation SSL Screw-Ups @ Thotcon - Chicago 4/23/2010


What: THOTCON 0x1
When: Friday, April 23, 2010
Where: TBA - 1 Week Prior to Conference
Tickets: SOLD OUT!

THOTCON (pronounced \ˈthȯt\ and taken fr
om THree - One - Two) is a new small ven
ue hacking conference based in Chicago I
L, USA. This is a non-profit, non-commer
cial event looking to provide the best c
onference possible on a very limited bud

*** SCHEDULE ***************************