More on GIFARS and Other Dangerous Attacks

This is a continuation from my previous post. The reasons why GIFARs, although in my case it was JPGAR (from JPG + JAR), work was explained to me by FX (Recurity Labs) after my talk during the last Black Hat in Amsterdam.

Basically, when you combine GIF/JPG and JAR/ZIP you have a hybrid file which have two heads. The head of GIF/JPG file is at the top. The head of the JAR/ZIP file is at the bottom. [...]

more | comments | comments rss | posted by

Landing Blogsecurify

During the last couple of days, we combined forces with Blogsecurity.NET in an effort to improve their online WordPress vulnerability scanner. The result of these efforts is our new initiative called Blogsecurify.

Blogsecurify was created to help individuals and organization to secure their social media infrastructure by running a set of security checks. [...]

more | comments | comments rss | posted by

Google and Wildcard Domains

Basically, Google allows you to use custom domains for your Google for Applications, Blogspot, Mashup Editor and of course App Engine accounts. I think this is an excellent feature and I use it for several of my domains. Although, some of the Google applications ask you to verify the ownership of the domain you are about to use by instructing you to place a special CNAME record on your nameserver, others don’t. [...]

more | comments | comments rss | posted by

QuickTime 0day for Vista and XP

A remote vulnerability exists in the QuickTime player for Windows XP and Vista (latest service packs). Other versions are believed to be affected as well. For now, no details will be released regarding the method of exploitation.

The video above demonstrates the issue on Windows Vista and Windows XP. The Windows Vista demo is rather slow because it runs from a 512MB VMWare machine.

more | comments | comments rss | posted by

OpenID provides a better security model

I couple of posts back I’ve started a conversation on what OpenID is and why it could turn a bit insecure. You can read more about this over here, here and here. Today, I would like to draw your attention on why I believe that OpenID based authentication is a lot more more secure then the dispersed, decentralized, authentication model we use today.

This post is inspired by a recent discussion on Full-Disclosure which I vividly took part in, supporting OpenID. [...]

more | comments | comments rss | posted by

The State of WiFi security

One of the fundamental rules, which you wont read about in any security book and you can learn only through experience is that everything is in symbiosis. This means that the security models of the individual components in a system are co-dependent. For example, the security of a server is dependent on the security of the individual clients connected to it and the the security of the clients depend on the security of the servers they are interacting with. [...]

more | comments | comments rss | posted by

Cross-site File Upload Attacks

As you probably already know, CSRF attack are only possible when the attacked web application does not have an additional mechanism to ensure that requests towards it are genuine. In order to do that, the web developer must include a unique token for each request, which is validated on the server upon receiving a request. [...]

more | comments | comments rss | posted by

WiFi Infestations – Viral Wardriving

WiFi networks are the necessary evil. In this post I would like to briefly highlight some ideas on the potential damages that can be introduced when attackers combine automated viral-like attacks with human power. This post is largely related to the wifi worms topic that was quite present among all media outlets at the beginning of 2008. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 3)

We move on with the 3rd kind of authentication bypass bug. You may want to familiarize yourself with the previous two entries here and here, before you continue.

Unchecked HTTP methods

A device that is vulnerable to this issue, only performs an authentication check (i.e.: is the password being submitted with a request via basic authentication?) when the request is performed using a certain HTTP method. [...]

more | comments | comments rss | posted by

Holes in Embedded Devices: Authentication bypass (pt 1)

Finding authentication bypass bugs is an obvious choice for attackers, since such bugs allow administrative changes to be made without knowledge of the admin password. In other words, compromising the target device without requiring a password is of course something attackers are interested in! You bet! [...]

more | comments | comments rss | posted by