Netsparker’s Weekly Security Roundup 2018 – Week 05

Table of Content Why You Should Be Careful What You Put Into Your composer.json File Why You Need to Use a Package Manager Composer Package Manager Can Expose Sensitive Information The Principle of Least Privilege Limits Exploitation Opportunities It's all about SOP – How Anyone Can Steal Your Ethereum Cryptocurrency With DNS Rebinding What are DNS, TTL and SOP? How Attackers Can Game the System to Exploit a Local Application The Problem With JSON-RPC and Local Web Servers Why You Should Be Careful What You Put Into Your composer.json File What do Joomla!, Typo3, MediaWiki and Matomo (formerly known as Piwik) have in common? Aside from the fact that all of them are popular, open source PHP projects with a large number of users, there is one similarity that you will only notice if you try to install the projects yourself, or if you look at their github accounts. Joomla! Typo3 MediaWiki Matomo As you might have noticed, each project repository contains a composer.json file. What does it do? If all those popular applications...
Read more

Netsparker’s Weekly Security Roundup 2018 – Week 04

Every security researcher should develop their skills in reading and understanding RFCs. While they may not provide an exciting read, they still can help you decipher how certain protocols work and what obstacles developers might face while attempting to implement them. Here is one example of an RFC text. This text was the taken from RFC 7231 and explains those cases in which the server should send a Content-Type header. For those not familiar with the vocabulary in these documents, they contain various key words for developers, to help them correctly implement the protocol's features. The keyword 'SHOULD' from the sample RFC has a very specific meaning. It is defined in RFC 2119 Key words for use in RFCs to Indicate Requirement Levels as follows: This word, or the adjective 'RECOMMENDED', means that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course. This means that developers don't necessarily have to implement functionality with the 'SHOULD' key word, if they have good reason. But what happens if the server doesn't send a proper Content-Type header? How...
Read more

Netsparker’s Weekly Security Roundup 2018 – Week 02

Table of Content Directory Listings Can Lead Directly to Account Takeover Are US Government Websites Accessible and Secure? AlwaysOnSSL – A New, Free Certification Authority Directory Listings Can Lead Directly to Account Takeover Directory listings are one of the most frequently encountered issues in the Information Leak category. They occur when developers fail to properly configure their web servers. As with our other web security warnings, let's not underestimate this one! This week, we examine an experiment carried out by Nishaanth Guna, a 22 year old Security Researcher who previously worked with AppKnox and Ernst & Young. Guna has blogged about a straightforward way to use Directory listings to achieve account takeover. He'd encountered one during one of his penetration tests. He started his penetration test by enumerating the subdomains of his target domain by searching for them in the Certificate Transparency logs. He used the following short and elegant bash script to conveniently query the crt.sh website from his command line: $ curl --silent https://crt.sh/\?q\=%.domain.com | sed 's/<\/\?\+>//g' | grep -i domain.com | tail -n +9 | cut -d ">" -f2 | cut -d "<" -f1 This is the list of domains his script returned: www.domain.com blog.domain.com stag.domain.com Guna performed a port scan of all the domains...
Read more

Netsparker’s Weekly Security Roundup 2018 – Week 01

Table of Content The Impact of Meltdown and Spectre On the Web HTTP Verb Tampering and a phpMyAdmin Cross-Site Request Forgery The Impact of Meltdown and Spectre On the Web In January 2018, the discovery of two high-profile vulnerabilities in modern processors was disclosed by spectreattack.com. They were given the names Spectre and Meltdown. The researchers who discovered them worked at Google's Project Zero, various universities and even a private IT security company. Both vulnerabilities are caused by problems that arise due to the use of speculative execution, a technique modern processors employ for performance improvements. The impact of both is devastating. They enable the theft of sensitive data, passwords and encryption keys from the memory of affected systems. One major problem with these security flaws is that attackers can use them to read sensitive system memory, even if the code is executed inside a virtual machine (VM) or a sandboxed environment. This is why many companies are concerned about the sensitive applications they host in the cloud. If attackers manage to run code on the same server, which is often the case in shared environments, they can steal encryption keys and passwords from otherwise secure applications.
Read more

Netsparker’s Weekly Security Roundup 2017 – Week 52

Preload Saves Lives Thanks to Google and projects such as Let’s Encrypt, there are more websites running on SSL/TLS now than a few years ago, which means the internet in general is getting more secure. The HTTP Strict Transport Security (HSTS) Preload List is a key element of SSL/TLS for web browsers. The problem is that if a website makes traffic encryption optional, it can be bypassed by Man in the Middle (MiTM) attacks. Moxie Marlinspike (pseudonym), founder of Open Whisper Systems, is an American security researcher who demonstrated at Blackhat in 2009 how he was able to prevent victims from using secure HTTPS connections and force them to use an unencrypted, plain HTTP connection instead. In order to do this he leveraged his SSLStrip tool. Theoretically, when a secure connection is established, it ensures both security and privacy. However, to establish a truly secure connection, HSTS is required. Websites that have HSTS configured instruct users' browsers to convert all future links to HTTPS. Perhaps you're thinking: "But, I could just disable port 80. I could set up a routing process on the server side.". The problem is that this still won't be enough to emulate the features HSTS provides....
Read more

Netsparker’s Weekly Security Roundup 2017 – Week 51

Finally – OWASP Top 10 2017! Although, the OWASP Top 10 vulnerability list is not a mandatory web security standards document, it plays a significant role in the cyber-security sector, not least because it is compiled based on data collected by the web security community, and has set the agenda since its first publication in 2004. A full four years since the last list (2013), OWASP has finally published its up-to-date Top 10 vulnerability list. It overcame much initial opposition, some controversial items were removed and some were revised during the preparation process. A preliminary, contentious draft was first published in April 2017. OWASP proposed the inclusion of A7: Insufficient Attack Protection, which many felt included a not terribly well-disguised reference to Contrasts Security, a company who recommended the item in the list and that develops a Web Application Firewall (WAF) product. Naturally, this was met with opposition. After some changes, it was incorporated into another article and ranked 10th place as Insufficient Logging and Monitoring. There was also an entry for API Security in the first draft. However, it didn't make it into the final version. The final 2017 list has a lot of similarities when compared to the Top 10...
Read more