BruCON 5by5 – WPScan Online Vulnerability Database

For those of you who have been living under a rock, BruCON is a security conference held every year in Belgium (originally Brussels, now Ghent). I have attended every BruCON conference since the second. Last year was the 5th time the conference had been held (correct me if I’m wrong) and so the year before (2012) they setup what they called 5by5. This allowed BruCON, as it’s a non-for-profit, to share its extra left over cash by supporting community projects.

Last year, they allocated up to 5,000 euros to 4 different community projects. These projects were:

1. OWASP OWTF (Abraham Aranguren)
2. The Cloudbug Project (Carlos Garcia Prado)
3. A tool a month (Robin Wood)
4. Eccentric Authentication (Guido Witmond)

As last year was such a success, they’re doing it again this year! And this year I put in a proposal!

Continue reading

What passwords is GitHub banning?

GitHub was recently the target of a large weak password brute force attack which involved 40k unique IP addresses. One of many of the security measures GitHub has now taken is to ban users to register with ‘commonly-used weak passwords’.

To find out what GitHub considers as ‘commonly-used weak passwords’ I decided to compile a list of GitHub valid passwords from a few password lists found online and one of my own.

GitHub’s password policy is reasonable (at least 7 chars, 1 number and 1 letter) so from all of the wordlists used only 331 passwords were found to conform to GitHub’s password policy.

Continue reading

SimpleRisk v.20130915-01 CSRF-XSS Account Compromise

1. *Advisory Information*

Title: SimpleRisk v.20130915-01 CSRF-XSS Account Compromise
Advisory ID: RS-2013-0001
Date Published: 2013-09-30

2. *Vulnerability Information*

Type: Cross-Site Request Forgery (CSRF) [CWE-352, OWASP-A8], Cross-Site Scripting (XSS) [CWE-79, OWASP-A3]
Impact: Full Account Compromise
Remotely Exploitable: Yes
Locally Exploitable: Yes
Severity: High
CVE-ID: CVE-2013-5748 (CSRF) and CVE-2013-5749 (non-httponly cookie)

3. *Software Description*

SimpleRisk a simple and free tool to perform risk management activities. Based entirely on open source technologies and sporting a Mozilla Public License 2.0, a SimpleRisk instance can be stood up in minutes and instantly provides the security professional with the ability to submit risks, plan mitigations, facilitate management reviews, prioritize for project planning, and track regular reviews. It is highly configurable and includes dynamic reporting and the ability to tweak risk formulas on the fly. It is under active development with new features being added all the time. SimpleRisk is truly Enterprise Risk Management simplified. [0]

Homepage: http://www.simplerisk.org/
Download: https://simplerisk.googlecode.com/files/simplerisk-20130915-001.tgz

Continue reading

Security Testing HTML5 WebSockets

Recently I became faced with my first Web Application Security Assessment which relied heavily on HTML5′s WebSockets.

The first clue that the application was using WebSockets was when the application kept giving me a timeout error while using my proxy of choice, Burp Suite. Looking at the HTTP requests/responses in Burp I noticed that a large JavaScript file was requested and downloaded from the server. Within this file I noticed a URL with the ws:// scheme, the WebSocket scheme.

TCP/HTTP?

The initial WebSocket handshake is carried out over HTTP using an ‘upgrade request‘. After the initial exchange over HTTP all future communication is carried out over TCP. On the application I was testing the WebSocket handshake over HTTP within WireShark looked like this:

Request:

GET /SocketHandler HTTP/1.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:23.0) Gecko/20100101 Firefox/23.0
Sec-WebSocket-Version: 13
Origin: http://www.example.com
Sec-WebSocket-Key: iiral7et1zfQMGu9udIYHA==
Cookie: Login=1234567
Connection: keep-alive, Upgrade
Upgrade: websocket
Content-length: 0
Host: www.example.com

Response:

HTTP/1.1 101 Switching Protocols
Upgrade: Websocket
Server: Microsoft-IIS/8.0
Sec-WebSocket-Accept: 9ZPK0lC0SB6dhIJHRt3q/GN88Ng=
Connection: Upgrade
Date: Fri, 30 Aug 2013 13:33:42 GMT

Continue reading