Messing with Web Filtering Gateways

Most of us are familiar with several techniques that allow us to bypass web filtering gateways like CS MIMESweeper.

The following are some of them:

access the desired site via IP address rather than domain name
access cached content rather than live data. i.e.: using Google’s cache: command
using proxies. i.e.: anonymouse, Google translator, etc
using alternative connections. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 4)

This kind of authentication bypass bug can go easily undetected during a security assessment if not enough attention is paid. In order to understand this type of vulnerability, we need to be familiar with settings pages available on devices’ web interface that allow the admin user to modify settings.

Administrative web interfaces have different sections/menus available to logged-in administrators. Each section is just a HTML page with a form designed to make configuration changes. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 3)

We move on with the 3rd kind of authentication bypass bug. You may want to familiarize yourself with the previous two entries here and here, before you continue.

Unchecked HTTP methods

A device that is vulnerable to this issue, only performs an authentication check (i.e.: is the password being submitted with a request via basic authentication?) when the request is performed using a certain HTTP method. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 2)

Usually, when accessing a web interface of an appliance, the user is prompted to enter a password if not authenticated already. This could be done via a HTML form on the login page or a basic HTTP authentication prompt (among other methods).

Let’s call the authentication stage: A. Once, the admin user enters a username/password combination, the device checks the provided combination against credentials stored in its internal configuration. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 1)

Finding authentication bypass bugs is an obvious choice for attackers, since such bugs allow administrative changes to be made without knowledge of the admin password. In other words, compromising the target device without requiring a password is of course something attackers are interested in! You bet! [...]

more | comments | comments rss | posted by

The new dawn of filter evasion

This article is about the most important phase when attacking web applications. The phase when the markup has just been broken and the attacker will try to inject his own markup, script code or other data – let’s call it the PMBP (post-markup-breaking-phase). This phase is mostly possible to occur when quotes aren’t correctly sanitized or when input is placed between two tags. In this article we will set the focus on the first variant – the attribute injection. [...]

more | comments | comments rss | posted by

One Drop on A Spider Web

On 6th February 2007, I’ve published an article titled Playing in Large, which discusses various ways of injecting large JavaScript payloads into tiny XSS holes. The technique that I used as an example is quite simple. In general, all attackers need to do is to place their malicious payload behind the fragment identifier (# sign) and evaluate it within the attacked application context. This can be achieved by using something like this: eval(location.hash.substr(1)). [...]

more | comments | comments rss | posted by