Tuesday, August 14, 2007

Scanning with Flash

Thanks to Rsnake I learned of a proof of concept for Flash scanning.



I had to enable Javascript and have Adobe Flash installed. I used Firefox within Ubuntu 6.10. In cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 traffic you can see my host sending cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 following after finishing cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 three way handshake.

09:31:34.348028 IP 192.168.2.8.44235 > 10.1.13.4.21:
P 1:24(23) ack 1 win 1460
0x0000: 4500 004b 1f24 4000 4006 41d4 c0a8 0208 E..K.$@.@.A.....
0x0010: 0a01 0d04 accb 0015 f31e fbd2 a8ce 608e ..............`.
0x0020: 8018 05b4 df9f 0000 0101 080a 0018 e4f5 ................
0x0030: ea84 369b 3c70 6f6c 6963 792d 6669 6c65 ..6.<>
0x0040: 2d72 6571 7565 7374 2f3e 00 -request/>.

More to come, I'm sure.

On a related note, read Same-Origin Policy Part 1: Why we’re stuck with things like XSS and XSRF/CSRF by Justin Schuh and XSRF^2 by Dan Kaminsky.

12 comments:

Anonymous said...

Pretty cool. I see what you mean when you said cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 Web browser is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new operating system...

Vincent said...

I prefer to play with DNS Spoofing...
(^-^)

Imad said...

hi richard,

I use cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 link to see my opened port and I see that a lot of my ports are open.
I use a Netgear wifi Router. is that normal ?

Imad.

Steven Andrés said...

Also worth checking out is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 draft paper from some smart guys at Stanford (http://crypto.stanford.edu/dns). To prevent abuse, cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y require that you apply for an account before using it. I applied and was granted one within 12 hours of my original request. May be interesting to check out, Richard.

dre said...

Network security is dead. Don't bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r learning application security - just drop out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry please.

Case example: Dan Kaminsky talking about CSRF (it's CSRF not XSRF please - how else am I going to pronounce it `sea-surf'?).

He just doesn't get it. CSRF doesn't need a password. That's why we call it session riding. That's why Microsoft coined it as cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 one-click attack (with cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 zero-click attack variant). He doesn't even understand DNS rebinding.

Also cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are plenty of ways of protecting against DNS rebinding, XSS, CSRF, and Ajax attacks that cross cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same-origin policy.

Not surprisingly, TAOSSA also presented a unique solution cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 problem, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is no working code for this (or content-restrictions) as of yet.

While LocalRodeo, NoScript, and forcing SSL are great ideas in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory - in practice cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re are still plenty of ways to get around cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se Firefox add-ons because Firefox does not pass cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 web application hacker sniff test. It probably never will. IE7, Opera, and Safari are no better (cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y're, in fact, usually quite worse).

My suggestion is to use a browser that does not support Javascript, Java, or Flash - and that has been through complex code review, Fagan inspection, and is well tested. Links or ELinks (Elinks has some Javascript support) are good candidates, as is cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 command line utility, curl. I trust Lynx or wget less than cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 above mentioned tools, although lynx's lack of Javascript does make it a safer browser than any of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 very popular ones out cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re. Also - Links and ELinks can utilize images properly.

In this article from gnucitizen, Tim Brown mentions in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 comments that signed code (Javascript and Java) appears to be a sufficeable long-term solution.

Richard Bejtlich said...

Dre,

"Network security is dead. Don't bocá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365r learning application security - just drop out of cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 industry please."

Who are you addressing?

dre said...

Richard -

Whoever has been contributing to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 myth that firewalls and IPS devices (or NAC, UTM, scan and patch, etc) protect against adversaries.

I know it sounds like I may be trying to harsh on you or Kaminsky - and while cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365re is some truth to that - I really do like you guys and what you have to say. It's just that well, you're both a little late to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game and I'm disappointed.

What I'm really talking about are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 new trends in information security and how cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se apply to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 "old guard".

Also see anything and everything ever written by Marcus Ranum.

Richard Bejtlich said...

Dre,

I hope you don't think I'm contributing to that myth. I just posted two stories from Black Hat on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 same subject.

As far as being "late to cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 game," sorry I'm not 31337 enough for you. Maybe if you blogged a little more often I would learn something?

I try to share a few thoughts here, while doing full time work that is not "security research." It must be fun to be paid to break things and live on cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 public edge, but cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 majority of us are too busy protecting customer assets with whatever our "old guard" minds can manage.

If you're "disappointed" cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365n you're free to read someone else's blog.

dre said...

@ Richard: Yes, you're right. I was being a jerk about it.

It's not you that I'm trying to attack; it's mostly cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendors - which you are not. Any "defense-in-depth mantra" network security professional trying to defend customer assets does need to learn that what cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 vendors sell are not security products, but instead ways of stealing money. You're being lied to and you don't know it.

The snake-oil that comes out of selling security as a product is a huge problem that we are facing. We all have to change our minds and attitudes. I'm not trying to say that I'm better than you because "I've figured some of this out". In fact, I see it as quite cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 opposite. I still see network security professionals, network security vendors, pen-testers, and AV vendors as thinking that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 31337. The attitude that I still get from cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365se folks is that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y are above developers - that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know security best - that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365y know more about security than anyone else.

Maybe "disappointed" was cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 wrong word. Maybe "jaded" is a better one?

Richard Bejtlich said...

Hi Dre,

Ok, that's cool. I agree with what you said just now. I'm serious about you blogging more though. :)

dre said...

@ Richard: Heh. Yeah I apologize for coming off as intentionally mean.

Isn't blogging just as much about blog comments as it is about cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365 blog entries? So by that cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ory - I do blog a lot.

Unfortunately, Google Reader doesn't include comments in cá cược thể thao bet365_cách nạp tiền vào bet365_ đăng ký bet365ir scraping routines.

Vincent said...

He can.
Comment's feed