Comments on: Snippets of defense Pt.I http://www.gnucitizen.org/blog/snippets-of-defense-pti/ Information Security Think Tank Fri, 29 Aug 2008 18:21:13 +0000 http://wordpress.org/?v=2.6.1 By: Content Injection: Hack the Hacker » Inking's Security Blog http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-118629 Content Injection: Hack the Hacker » Inking's Security Blog Fri, 11 Apr 2008 14:48:11 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-118629 [...] (i.e. logging, blocking etc). Check out some of Mario’s code snippets of defense for the idea: here, here, here, and [...] [...] (i.e. logging, blocking etc). Check out some of Mario’s code snippets of defense for the idea: here, here, here, and [...]

]]> By: Content Injection: Hack the Hacker | GNUCITIZEN http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-118625 Content Injection: Hack the Hacker | GNUCITIZEN Fri, 11 Apr 2008 14:07:31 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-118625 [...] logging, blocking etc). Check out some of Mario’s code snippets of defense for the idea: here, here, here, and [...] [...] logging, blocking etc). Check out some of Mario’s code snippets of defense for the idea: here, here, here, and [...]

]]> By: pdp http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-62528 pdp Sun, 28 Oct 2007 17:01:09 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-62528 bedirhan, excellent. I did something similar for <a href="http://www.gnucitizen.org/blog/technika" rel="nofollow">technika</a>. I needed to insert some code, but I did not wanted to pollute the <strong>this</strong> namespace with some random vars such as <strong>i</strong> or anything along these lines. My solution is the following: <pre><code>(new function () { return function (self) { // your code here }; })(this);</code></pre> This is almost like self executing, self destructive code. sweet! bedirhan, excellent. I did something similar for technika. I needed to insert some code, but I did not wanted to pollute the this namespace with some random vars such as i or anything along these lines. My solution is the following:

(new function () {
  return function (self) {
    // your code here
  };
})(this);

This is almost like self executing, self destructive code. sweet!

]]> By: bedirhan http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-62522 bedirhan Sun, 28 Oct 2007 16:19:41 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-62522 Sorry if this makes a duplicate post, but during the last one your domain seemed to go down :(. If we can change the code to; <pre><code>alert = (function(){ var old_alert = alert; return function(m){ // logging goes here old_alert(m); } })();</code></pre> then by-passing would be a little harder. This is creating private members thru closures. Sorry if this makes a duplicate post, but during the last one your domain seemed to go down :(.

If we can change the code to;

alert = (function(){
    var old_alert = alert;
    return function(m){
        // logging goes here
        old_alert(m);
    }
})();

then by-passing would be a little harder. This is creating private members thru closures.

]]> By: djteller http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-56851 djteller Tue, 09 Oct 2007 21:14:55 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-56851 Kuza55, this is against kiddies, and since 99% are using automated scripts that will work just fine. You can even obfuscate this code to make it harder to read. Always good to have logs, even if they are false you can learn from them. Kuza55, this is against kiddies, and since 99% are using automated scripts that will work just fine.
You can even obfuscate this code to make it harder to read.

Always good to have logs, even if they are false you can learn from them.

]]> By: kuza55 http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-56300 kuza55 Mon, 08 Oct 2007 08:20:54 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-56300 Personally I don't like this for two reasons: a) It places IDS logic into the web page, thereby giving it to the attacker b) It puts you in a position where an attacker can easily clog your IDS with false positives c) It won't work if referers are turned off Sure, in regards to (b), you could collect more data, but you still need some way to verify it - you might be able to automate this by getting some machine to visit the pages in the referer (or passed to your logged as a GET parameter), but that's just ugly (and seems like a wide open security hole), and it also tells you nothing about POST XSS's, and so unless you want to discount all the POST XSS's this detects, you would have to investigate every referer you get with no parameters (or parameters for which your page uses POST data). So while it might work, it will probably give people a false sense of security, and be a headache to administer if anyone malicious notices it. Personally I don’t like this for two reasons:

a) It places IDS logic into the web page, thereby giving it to the attacker
b) It puts you in a position where an attacker can easily clog your IDS with false positives
c) It won’t work if referers are turned off

Sure, in regards to (b), you could collect more data, but you still need some way to verify it - you might be able to automate this by getting some machine to visit the pages in the referer (or passed to your logged as a GET parameter), but that’s just ugly (and seems like a wide open security hole), and it also tells you nothing about POST XSS’s, and so unless you want to discount all the POST XSS’s this detects, you would have to investigate every referer you get with no parameters (or parameters for which your page uses POST data).

So while it might work, it will probably give people a false sense of security, and be a headache to administer if anyone malicious notices it.

]]> By: ascii http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-56208 ascii Mon, 08 Oct 2007 01:46:40 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-56208 @RoC_MM: thanks good bookmarklet! @RoC_MM: thanks good bookmarklet!

]]> By: RoC_MM http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-56132 RoC_MM Sun, 07 Oct 2007 19:31:15 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-56132 pdp, this is a good blog, I read it all the time. ascii, in cases like this, I use the "enlarge textareas" bookmarklet. Make a bookmark with this as the URL, then click it anytime you are on a page with a too small text box. <pre><code>javascript:(function(){var i,x; for(i=0;x=document.getElementsByTagName(%22textarea%22)[i];++i) x.cols += 150; })()</code></pre> pdp, this is a good blog, I read it all the time.

ascii, in cases like this, I use the “enlarge textareas” bookmarklet. Make a bookmark with this as the URL, then click it anytime you are on a page with a too small text box.

javascript:(function(){var i,x; for(i=0;x=document.getElementsByTagName(%22textarea%22)[i];++i) x.cols += 150; })()
]]> By: clinisbut http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-56120 clinisbut Sun, 07 Oct 2007 19:03:45 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-56120 Yeah it's a good way to detect when someone try to hack our site. But there is the famous Firebug extension for firefox that offers the console.log() to debug apps. Maybe a function like yours would be necessary for firebug? ps:I know my english is poor... Yeah it’s a good way to detect when someone try to hack our site.
But there is the famous Firebug extension for firefox that offers the console.log() to debug apps. Maybe a function like yours would be necessary for firebug?

ps:I know my english is poor…

]]> By: ascii http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-56052 ascii Sun, 07 Oct 2007 15:15:57 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-56052 hi mario! a simple bypass is <pre><code>alert=old_alert;alert("test");</code></pre> but i know you didn't intended this as a silver bullet, more like a kiddie protection. wisec has published some info on how to block the fetch/set of a cookie value for geko based browsers, it's more generic than trap alert() http://www.wisec.it/sectou.php?id=44c7949f6de03 it can be bypassed too using frames and other techniques (eg: you can try everything but if it's hooked in js it can also be reverted to the original in js). anyway why not? it's cheap! i'm going to implement both on my sities ps: pdp make this textbox larger please : ) hi mario! a simple bypass is

alert=old_alert;alert("test");

but i know you didn’t intended this as a silver bullet, more like a kiddie protection. wisec has published some info on how to block the fetch/set of a cookie value for geko based browsers, it’s more generic than trap alert()

http://www.wisec.it/sectou.php?id=44c7949f6de03

it can be bypassed too using frames and other techniques (eg: you can try everything but if it’s hooked in js it can also be reverted to the original in js). anyway why not? it’s cheap! i’m going to implement both on my sities

ps: pdp make this textbox larger please : )

]]> By: Kishor http://www.gnucitizen.org/blog/snippets-of-defense-pti/#comment-56043 Kishor Sun, 07 Oct 2007 14:52:17 +0000 http://www.gnucitizen.org/blog/snippets-of-defense-pti#comment-56043 Nice trick to get your app scanned for xss for free! Although, a frustrated attacker could add dummy entries to your logs. And since you believe that the log file contains accurate XSSs , you may have hard time removing those false entries. You may need something more at server side to detect such spamming. Nice trick to get your app scanned for xss for free!

Although, a frustrated attacker could add dummy entries to your logs. And since you believe that the log file contains accurate XSSs , you may have hard time removing those false entries.

You may need something more at server side to detect such spamming.

]]>