Collaborate Disseminate
The OWASP 2011 Summit looks like it shaping up to be quite an event! From across the globe the top Web application security minds, practitioners, vendors, and influencers are showing up to help shape things to come. Check out the working sessions. As m… Continue reading Remote participation for the 2011 OWASP Summit
I think I’ve read just about every white paper, article, blog post, and tweet about Do-Not-Track (DNT), including the FTC’s recent 121 page preliminary staff report that thrust the concept into public consciousness. For those unfamiliar with what DNT is exactly, not to worry, it is really very simple.
The idea behind DNT is providing online consumers, those sitting behind a Web browser, an easy way to indicate to third-parties that they do not want to be “tracked” — they opt-out. DNT would hopefully replace todays system of having to register with dozens of different provider websites to obtain “opt-out” cookies.
As the FTC pointed out, the out-out cookie approach proved unscalable and could never have been effective with the spirit of its intent, consumer privacy. Adding insult to injuring, anyone seeking to improve their privacy by deleting all their cookies would simultaneous delete their opt-out cookies too. They’d have to perform opt-out registration all over again. No wonder the advertisers and tracking companies support this model.
The FTC report gave no real technical guidance on how DNT should be implemented. Not that they should have. What you must first understand about DNT is that in all models, there is NO real technical privacy enforcement. Basically the consumer is asking (buried somewhere invisible in the HTTP protocol) anyone who is listening, “please do not track me.” It is then on the honor of the tracking companies across the Internet to support the DNT system and comply with the request when they have no legal obligation to do so. Which is not to say DNT is without value. It would be helpful to have a legal remedy available when all technical self protection mechanisms eventually breakdown.
Since DNT started making headlines Google, Microsoft, Mozilla, and various browser plug-in developers have been experimenting with different approaches to DNT in their respective Web browsers. The one seeming to get the most traction at the moment is adding a special ‘DNT’ header to each HTTP request. For example:
“DNT: 1” – The user opts out of third-party tracking.
“DNT: 0” – The user consents to third-party tracking.
[No Header] – The user has not expressed a preference about third-party tracking.
At first glance this does appear to be the logical and superior model over all others I’ve seen so far. Then I got to talking with Robert “RSnake” Hansen about this and we came to a slightly different conclusion to where DNT would best go. First remember that there are a lot of great big powerful corporate interests that really don’t like DNT and what it represents. If effective and widely adopted, business models are odds with consumer privacy choice would be seriously threatened. Opponents to DNT will seek to confuse, sabotage, derail, downplay, and stall progress at every opportunity. The final accepted protocol must be resilient to a large portion of the Internet hostile to its very existence.
DNT data must be able to traverse the Internet to its destination unaltered and be logged on the other end (the Web Server) for auditing / statistical purposes. If DNT ends up being a new HTTP request header, those headers like most others are rarely logged and never by default. It would be far too easy for a tracking company to ignore DNT headers and claim they never got them. Proving otherwise would be difficult for a plaintiff.
An alternative is piggybacking DNT onto an already well established header. A header one that no one in the connection stream would typically think of touching and that is already widely logged — by default. The User-Agent header would make sure an ideal candidate. Imagine something like this with the DNT tacked onto the end:
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 DNT: 1
Simple. Easy. Logged.
Now if we can just encourage the browser vendors to enable it by default. 🙂
Continue reading Do-Not-Track (How about piggybacking on the User-Agent?)
I think I’ve read just about every white paper, article, blog post, and tweet about Do-Not-Track (DNT), including the FTC’s recent 121 page preliminary staff report that thrust the concept into public consciousness. For those unfamiliar with what DNT is exactly, not to worry, it is really very simple.
The idea behind DNT is providing online consumers, those sitting behind a Web browser, an easy way to indicate to third-parties that they do not want to be “tracked” — they opt-out. DNT would hopefully replace todays system of having to register with dozens of different provider websites to obtain “opt-out” cookies.
As the FTC pointed out, the out-out cookie approach proved unscalable and could never have been effective with the spirit of its intent, consumer privacy. Adding insult to injuring, anyone seeking to improve their privacy by deleting all their cookies would simultaneous delete their opt-out cookies too. They’d have to perform opt-out registration all over again. No wonder the advertisers and tracking companies support this model.
The FTC report gave no real technical guidance on how DNT should be implemented. Not that they should have. What you must first understand about DNT is that in all models, there is NO real technical privacy enforcement. Basically the consumer is asking (buried somewhere invisible in the HTTP protocol) anyone who is listening, “please do not track me.” It is then on the honor of the tracking companies across the Internet to support the DNT system and comply with the request when they have no legal obligation to do so. Which is not to say DNT is without value. It would be helpful to have a legal remedy available when all technical self protection mechanisms eventually breakdown.
Since DNT started making headlines Google, Microsoft, Mozilla, and various browser plug-in developers have been experimenting with different approaches to DNT in their respective Web browsers. The one seeming to get the most traction at the moment is adding a special ‘DNT’ header to each HTTP request. For example:
“DNT: 1” – The user opts out of third-party tracking.
“DNT: 0” – The user consents to third-party tracking.
[No Header] – The user has not expressed a preference about third-party tracking.
At first glance this does appear to be the logical and superior model over all others I’ve seen so far. Then I got to talking with Robert “RSnake” Hansen about this and we came to a slightly different conclusion to where DNT would best go. First remember that there are a lot of great big powerful corporate interests that really don’t like DNT and what it represents. If effective and widely adopted, business models are odds with consumer privacy choice would be seriously threatened. Opponents to DNT will seek to confuse, sabotage, derail, downplay, and stall progress at every opportunity. The final accepted protocol must be resilient to a large portion of the Internet hostile to its very existence.
DNT data must be able to traverse the Internet to its destination unaltered and be logged on the other end (the Web Server) for auditing / statistical purposes. If DNT ends up being a new HTTP request header, those headers like most others are rarely logged and never by default. It would be far too easy for a tracking company to ignore DNT headers and claim they never got them. Proving otherwise would be difficult for a plaintiff.
An alternative is piggybacking DNT onto an already well established header. A header one that no one in the connection stream would typically think of touching and that is already widely logged — by default. The User-Agent header would make sure an ideal candidate. Imagine something like this with the DNT tacked onto the end:
User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13 DNT: 1
Simple. Easy. Logged.
Now if we can just encourage the browser vendors to enable it by default. 🙂
Continue reading Do-Not-Track (How about piggybacking on the User-Agent?)
I’ve been training Brazilian Jiu-Jitsu for a little over 5 years now, sprinkled in with a little Muay Thai and Boxing to complement the ground game. I’ve average a two hour class about 4 days a week, which has resulted in a loss of 60lbs (kept off) and a respectable brown belt. I’m currently working my butt off to earn black. While being a BJJ black belt would be unbelievably cool, honestly the belt color isn’t all that important to me. I’ll be training for as long as I’m physically about to for life regardless. The power of this martial art is simply amazing.
Right now I’d prefer to be training BJJ (MMA) twice a day 4-5 days a week, but between WhiteHat and family commitments there is just no way. When vacationing in Maui that’s pretty much what I do with all my down time, in between going to the beach of course. My BJJ game skyrockets to new levels super fast because guys out there are no joke. Everyone is in shape and train all the time. You’ll even find private MMA cages in people back yards that provide “something to do” when there’s no waves.
My job requires me to travel a lot. I’ve been to 5 continents, about two dozen countries, and 35 or so US states. Fortunately there has been an explosion in the number of BJJ academies thanks in large part to the UFC and MMA phenomenon. There’s at least one academy in every major US city I’ve been to and make a point to visit as many as I can. I always fly with my gi, rash guard, mouth guard, and fight short. Trained in about 20 academies across the US and abroad, including in Brazil where of course BJJ all began. I don’t do this to try and prove how tough I am or anything, mostly just looking for a good workout (way better than the gym), learn a new move or two, and benchmark my progress. So if see me on stage with what looks like mascara, you’ll know why.
In 99% of the academies I’ve had lots of fun and amazing an experience. Got to meet some really cool people outside of the security industry and keep perspective on things. I’ve also learned a couple of important lessons on what NOT to do:
1) Don’t visit an unfamiliar academy as an out of town traveler unless you are a solid blue belt level or above, which equates to at least a year or more of hard training experience. Not everyone, instructor and students, are nice people so you must be able to truly protect yourself from serious injury in the rare case that someone is actually trying to hurt you. I’ve never had a problem in a strict BJJ (Gi) academy, but some “MMA” (No-Gi) places do have a level of “fighter” attitudes where some try to prove themselves outside of the cage. I’ve only had to deal with this kind of ego twice before. Both times it didn’t end up good for the other guy. They slept, I left.
2) As a sign of respect, call ahead and speak with the instructor. Introduce yourself and your training background. This lets the instructor know where to place you with their students skill wise and tell you if the place isn’t right for you for whatever the reason. Again, I’ve had two moderately bad experiences showing up to a martial arts academy unannounced. One was a primarily an Aikido place and the other Taekwondo, both advertising some BJJ classes on their site. Apparently the instructors in those disciplines also taught the BJJ class, but weren’t highly skilled. I asked if they do full speed sparring, to which they nodded. Once they found out my level, they wanted no part of me and asked that I leave. I think they were concerned that I might tear up their students or something and make the school look bad. Who knows, I complied.
3) NEVER tap anyone in an unfamiliar academy that is a higher belt than you. I hate this rule, but take my word for it. If you get a hold of a submission, let it go. Of course that doesn’t mean you go and let yourself get tapped out. Screw that! Fight to maintain control over your opponent, flow with the go, which demonstrates skill more than just about anything. While it shouldn’t be the case, I’ve a bad experiences when tapping the instructor. Things turn in Abu Dhabi night in an instant. I won’t be making this mistake again until I’m a black belt.
Remember the quote from The Matrix Reloaded, “…you don’t really know someone until you fight them.” I’ve found this to be profoundly true, including in myself. A persons true mental disposition really shows when they are under physical duress. Chris Hoff (@beaker), cloud infosec icon, also trains BJJ while on the road. We’ve locked up in battle on the mat several times. His game reflects his personality. He’s elusive and unassuming, but DO NOT underestimate him for one moment. He’ll catch you off guard the very moment you back off and not paying very close attention. For me its not who beats who, but having fun, bringing my best game, and see what happens. Learning where Chris is getting an edge on me or where I missed an opportunity.
BJJ Smackdown during RSA 2011
Feb 17, 7-9pm
Ralph Gracie’s School
Everyone is welcome, but contact @jeremiahg or @beaker
Continue reading Travel the World, Meet new People, and Fight them
I’ve been training Brazilian Jiu-Jitsu for a little over 5 years now, sprinkled in with a little Muay Thai and Boxing to complement the ground game. I’ve average a two hour class about 4 days a week, which has resulted in a loss of 60lbs (kept off) and a respectable brown belt. I’m currently working my butt off to earn black. While being a BJJ black belt would be unbelievably cool, honestly the belt color isn’t all that important to me. I’ll be training for as long as I’m physically about to for life regardless. The power of this martial art is simply amazing.
Right now I’d prefer to be training BJJ (MMA) twice a day 4-5 days a week, but between WhiteHat and family commitments there is just no way. When vacationing in Maui that’s pretty much what I do with all my down time, in between going to the beach of course. My BJJ game skyrockets to new levels super fast because guys out there are no joke. Everyone is in shape and train all the time. You’ll even find private MMA cages in people back yards that provide “something to do” when there’s no waves.
My job requires me to travel a lot. I’ve been to 5 continents, about two dozen countries, and 35 or so US states. Fortunately there has been an explosion in the number of BJJ academies thanks in large part to the UFC and MMA phenomenon. There’s at least one academy in every major US city I’ve been to and make a point to visit as many as I can. I always fly with my gi, rash guard, mouth guard, and fight short. Trained in about 20 academies across the US and abroad, including in Brazil where of course BJJ all began. I don’t do this to try and prove how tough I am or anything, mostly just looking for a good workout (way better than the gym), learn a new move or two, and benchmark my progress. So if see me on stage with what looks like mascara, you’ll know why.
In 99% of the academies I’ve had lots of fun and amazing an experience. Got to meet some really cool people outside of the security industry and keep perspective on things. I’ve also learned a couple of important lessons on what NOT to do:
1) Don’t visit an unfamiliar academy as an out of town traveler unless you are a solid blue belt level or above, which equates to at least a year or more of hard training experience. Not everyone, instructor and students, are nice people so you must be able to truly protect yourself from serious injury in the rare case that someone is actually trying to hurt you. I’ve never had a problem in a strict BJJ (Gi) academy, but some “MMA” (No-Gi) places do have a level of “fighter” attitudes where some try to prove themselves outside of the cage. I’ve only had to deal with this kind of ego twice before. Both times it didn’t end up good for the other guy. They slept, I left.
2) As a sign of respect, call ahead and speak with the instructor. Introduce yourself and your training background. This lets the instructor know where to place you with their students skill wise and tell you if the place isn’t right for you for whatever the reason. Again, I’ve had two moderately bad experiences showing up to a martial arts academy unannounced. One was a primarily an Aikido place and the other Taekwondo, both advertising some BJJ classes on their site. Apparently the instructors in those disciplines also taught the BJJ class, but weren’t highly skilled. I asked if they do full speed sparring, to which they nodded. Once they found out my level, they wanted no part of me and asked that I leave. I think they were concerned that I might tear up their students or something and make the school look bad. Who knows, I complied.
3) NEVER tap anyone in an unfamiliar academy that is a higher belt than you. I hate this rule, but take my word for it. If you get a hold of a submission, let it go. Of course that doesn’t mean you go and let yourself get tapped out. Screw that! Fight to maintain control over your opponent, flow with the go, which demonstrates skill more than just about anything. While it shouldn’t be the case, I’ve a bad experiences when tapping the instructor. Things turn in Abu Dhabi night in an instant. I won’t be making this mistake again until I’m a black belt.
Remember the quote from The Matrix Reloaded, “…you don’t really know someone until you fight them.” I’ve found this to be profoundly true, including in myself. A persons true mental disposition really shows when they are under physical duress. Chris Hoff (@beaker), cloud infosec icon, also trains BJJ while on the road. We’ve locked up in battle on the mat several times. His game reflects his personality. He’s elusive and unassuming, but DO NOT underestimate him for one moment. He’ll catch you off guard the very moment you back off and not paying very close attention. For me its not who beats who, but having fun, bringing my best game, and see what happens. Learning where Chris is getting an edge on me or where I missed an opportunity.
BJJ Smackdown during RSA 2011
Feb 17, 7-9pm
Ralph Gracie’s School
Everyone is welcome, but contact @jeremiahg or @beaker
Continue reading Travel the World, Meet new People, and Fight them
Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we’re talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.
Since inception of the Top Ten Web Hacking Techniques list, the diversity, volume, and innovation of security research has always been impressive. 2010 produced 69 new attack techniques! This years point-position voting system worked well and the results showed exceptionally strong competition throughout all the entries. In fact, only two entries did not gain any points.
I’d like to take a moment again to thank everyone who took the time to fill out the voting surveys including those who were on this years expert panel. Ed Skoudis (InGuardians Founder & Senior Security Consultant), Giorgio Maone (Author of NoScript), Caleb Sima (CEO, Armorize), Chris Wysopal (Veracode Co-Founder & CTO), Jeff Willams (OWASP Chairman & CEO, Aspect Security), Charlie Miller (Consultant, Independent Security Evaluators), Dan Kaminsky (Director of Pen-Testing, IOActive), Steven Christey (Mitre), and Arian Evans (VP of Operations, WhiteHat Security). Also a big thanks to our sponsors BlackHat, OWASP, various Web security authors, and WhiteHat Security.
Today the polls are close, votes are in, and the official Top Ten Web Hacking Techniques of 2010 has been finalized! For any researcher simple the act of creating something unique enough to appear on the complete list is itself an achievement. To make it on to the top ten though, is well, another matter entirely. These researchers receive special praise amongst their peers who selected them and take their place amongst those highlighted in previous years (2006, 2007, 2008, 2009).
Top honors go to Juliano Rizzo and Thai Duong for their work on the “’Padding Oracle’ Crypto Attack” They’ll receive a free pass to attend the BlackHat USA Briefings 2011! (sponsored by Black Hat) and a library of autographed Web security books.
In second place is Samy Kamkar for his work on “Evercookie.” He’ll receive a free pass to OWASP Conference Pass (sponsored by OWASP).
And finally, everyone appearing on the top ten will receive custom designed t-shirt (sponsored by WhiteHat Security).
Top Ten Web Hacking Techniques of 2010!
1) ‘Padding Oracle’ Crypto Attack (poet, Padbuster, demo, ASP.NET)
Juliano Rizzo (@julianor), Thai Duong (@thaidn)
2) Evercookie
Samy Kamkar (@samykamkar)
3) Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
Jeremiah Grossman (@jeremiahg)
4) Attacking HTTPS with Cache Injection (Bad Memories)
Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh
5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
Lavakumar Kuppan (@lavakumark)
6) Universal XSS in IE8 (CVE, White Paper)
Eduardo Vela (@sirdarckcat), David Lindsay (@thornmaker)
7) HTTP POST DoS
Wong Onn Chee, Tom Brennan (@brennantom)
8) JavaSnoop
Arshan Dabirsiaghi (@nahsra)
9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
Robert “RSnake” Hansen (@rsnake)
10) Java Applet DNS Rebinding
Stefano Di Paola (@WisecWisec)
At IT-Defense 2011 (Feb.) it will be my great honor to introduce each of the top ten during my “Top Ten Web Hacking Techniques of the Year (2011)” presentations. Each technique will be described in technical detail for how they function, what they can do, to whom, and how best to defend against them. The audience will get an opportunity to better understand the newest Web-based attacks believed most likely to be used against us in the future.
The Complete List
Continue reading Top Ten Web Hacking Techniques of 2010 (Official)
Every year the Web security community produces a stunning amount of new hacking techniques published in various white papers, blog posts, magazine articles, mailing list emails, etc. Within the thousands of pages are the latest ways to attack websites, Web browsers, Web proxies, and so on. Beyond individual vulnerability instances with CVE numbers or system compromises, we’re talking about actual new and creative methods of Web-based attack. Now it its fifth year the Top Ten Web Hacking Techniques list encourages information sharing, provides a centralized knowledge-base, and recognizes researchers who contribute excellent work.
Since inception of the Top Ten Web Hacking Techniques list, the diversity, volume, and innovation of security research has always been impressive. 2010 produced 69 new attack techniques! This years point-position voting system worked well and the results showed exceptionally strong competition throughout all the entries. In fact, only two entries did not gain any points.
I’d like to take a moment again to thank everyone who took the time to fill out the voting surveys including those who were on this years expert panel. Ed Skoudis (InGuardians Founder & Senior Security Consultant), Giorgio Maone (Author of NoScript), Caleb Sima (CEO, Armorize), Chris Wysopal (Veracode Co-Founder & CTO), Jeff Willams (OWASP Chairman & CEO, Aspect Security), Charlie Miller (Consultant, Independent Security Evaluators), Dan Kaminsky (Director of Pen-Testing, IOActive), Steven Christey (Mitre), and Arian Evans (VP of Operations, WhiteHat Security). Also a big thanks to our sponsors BlackHat, OWASP, various Web security authors, and WhiteHat Security.
Today the polls are close, votes are in, and the official Top Ten Web Hacking Techniques of 2010 has been finalized! For any researcher simple the act of creating something unique enough to appear on the complete list is itself an achievement. To make it on to the top ten though, is well, another matter entirely. These researchers receive special praise amongst their peers who selected them and take their place amongst those highlighted in previous years (2006, 2007, 2008, 2009).
Top honors go to Juliano Rizzo and Thai Duong for their work on the “’Padding Oracle’ Crypto Attack” They’ll receive a free pass to attend the BlackHat USA Briefings 2011! (sponsored by Black Hat) and a library of autographed Web security books.
In second place is Samy Kamkar for his work on “Evercookie.” He’ll receive a free pass to OWASP Conference Pass (sponsored by OWASP).
And finally, everyone appearing on the top ten will receive custom designed t-shirt (sponsored by WhiteHat Security).
Top Ten Web Hacking Techniques of 2010!
1) ‘Padding Oracle’ Crypto Attack (poet, Padbuster, demo, ASP.NET)
Juliano Rizzo (@julianor), Thai Duong (@thaidn)
2) Evercookie
Samy Kamkar (@samykamkar)
3) Hacking Auto-Complete (Safari v1, Safari v2 TabHack, Firefox, Internet Explorer)
Jeremiah Grossman (@jeremiahg)
4) Attacking HTTPS with Cache Injection (Bad Memories)
Elie Bursztein (@ELIE), Baptiste Gourdin (@bapt1ste), Dan Boneh
5) Bypassing CSRF protections with ClickJacking and HTTP Parameter Pollution
Lavakumar Kuppan (@lavakumark)
6) Universal XSS in IE8 (CVE, White Paper)
Eduardo Vela (@sirdarckcat), David Lindsay (@thornmaker)
7) HTTP POST DoS
Wong Onn Chee, Tom Brennan (@brennantom)
8) JavaSnoop
Arshan Dabirsiaghi (@nahsra)
9) CSS History Hack In Firefox Without JavaScript for Intranet Portscanning
Robert “RSnake” Hansen (@rsnake)
10) Java Applet DNS Rebinding
Stefano Di Paola (@WisecWisec)
At IT-Defense 2011 (Feb.) it will be my great honor to introduce each of the top ten during my “Top Ten Web Hacking Techniques of the Year (2011)” presentations. Each technique will be described in technical detail for how they function, what they can do, to whom, and how best to defend against them. The audience will get an opportunity to better understand the newest Web-based attacks believed most likely to be used against us in the future.
The Complete List
Continue reading Top Ten Web Hacking Techniques of 2010 (Official)
If you come across a WebMail system that supports HTML email (no JavaScript) like GMail, Y! Mail, and Hotmail, then it’s extremely helpful to know how exactly to send HTML email to test those anti-XSS filters. I don’t recall seeing a how-to on the subject anywhere in the webappsec circles. To send arbitrary HTML email, laced with filter evading JavaScript, requires only a specially crafted text file and a *unix command line. Copy / Paste the following into a plain text file (email.txt):
MIME-Version: 1.0
From: your.name @whateverhost.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: INSERT_SUBJECTINSERT WHATEVER HTML/JAVASCRIPT CONTENT
.
The trailing dot is not a typo, it terminates the end of the message so make sure the file always ends with it. Second, leave the Content-Type, Content-Transfer-Encoding, and MIME-Version headers as they are. Beyond that, you are free to modify and insert your HTML/JavaScript injections wherever you’d like including the email subject and content body. You can also spoof the return email address and add arbitrary email headers using the same format. Once you got something to want to send, well email, type this Unix command:
> sendmail -t email_recipient@domain.com
The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it! Happy XSS hunting!
Continue reading How-to send HTML email, XSS testing WebMail systems
If you come across a WebMail system that supports HTML email (no JavaScript) like GMail, Y! Mail, and Hotmail, then it’s extremely helpful to know how exactly to send HTML email to test those anti-XSS filters. I don’t recall seeing a how-to on the subject anywhere in the webappsec circles. To send arbitrary HTML email, laced with filter evading JavaScript, requires only a specially crafted text file and a *unix command line. Copy / Paste the following into a plain text file (email.txt):
MIME-Version: 1.0
From: your.name@whateverhost.com>
Content-Type: text/html; charset=us-ascii
Content-Transfer-Encoding: 7bit
Subject: INSERT_SUBJECTINSERT WHATEVER HTML/JAVASCRIPT CONTENT
.
The trailing dot is not a typo, it terminates the end of the message so make sure the file always ends with it. Second, leave the Content-Type, Content-Transfer-Encoding, and MIME-Version headers as they are. Beyond that, you are free to modify and insert your HTML/JavaScript injections wherever you’d like including the email subject and content body. You can also spoof the return email address and add arbitrary email headers using the same format. Once you got something to want to send, well email, type this Unix command:
> sendmail -t email_recipient@domain.com
The -t flag is where you want to send the email to and redirect in whatever you named your email text file to sendmail. That’s it! Happy XSS hunting!
Continue reading How-to send HTML email, XSS testing WebMail systems
Recently I needed to purchase automobile insurance. To obtain a quote, the online insurer asked my age, where I lived, how much I drive and where, the year, make, and model of my cars, about my driving record, and how much coverage I wanted. Behind the scenes, they likely took these data points, applied them to some vehicle claim actuarial data, and presented me with a rate based upon MY effective overall risk score. The process made sense, the price was fair, and I ended up buying.
This got me thinking. What if instead the insurer had said, “We’ll give you the same coverage as everyone else who applied, add some protection for a new, obscure, scary-sounding road hazard, and bill you 15% over last year.” Without taking anything about at all about ME into account, it would seem that there was no real risk management involved in their decision-making. As a consumer, I would reject this offer. Clearly this makes zero sense. Ridiculous as this scenario sounds, isn’t this fairly similar to the process of creating information security budgets?
Gunnar Peterson explains it best, “Security budgets are often based on a combination of last year’s spending, this year’s threat(s) du jour, and “best” practices, i.e. what everyone else is doing. None of these help to address the main goal of information security which is to protect the assets of the business. The normal security budgeting process results in overspending (as a percentage) on network security, because that’s how the budget grew organically starting from the 90s.”
I agree and I think this is precisely why we see so many organizations spending a larger percentage of their budgets protecting their networks and infrastructure, as opposed to their applications, where the largest chunk of IT dollars are invested. In Gunnar’s words, “…they are spending $10 to protect something worth $5, and in other cases they are spending a nickel to protect something worth $1,000. If you look at the numbers objectively, you see why it is out of control…” Worse still, this budget misallocation persists despite real-world data revealing where the real threats are (at the application layer, Verizon’s DBIR) and in stark contrast to the infosec pros’ own stated priorities.
A survey conducted by FishNet Security of IT pros and C-level executives from 450 Fortune 1000 companies found that: “45% say firewalls are their priority security purchase, followed by antivirus (39%), and authentication (31%) and anti-malware tools (31%).” The report goes on to say, “Nearly 70% [of those surveyed] say mobile computing is the biggest threat to security today, closely followed by social networks (68%), and cloud computing platforms (35%). Around 65% rank mobile computing the top threat in the next two years, and 62% say cloud computing will be the biggest threat, bumping social networks.” This is pretty funny because Mobile, Social Networking, and Cloud attacks specifically bypass those firewall investments.
To resolve this spending conundrum, and begin closing the application security gap, I see two option:
1) Information security professionals must align their investments with business priorities, which is what Gunnar wisely advocates. He says, “the biggest line item in [non-security] spending should match the biggest line item in security.” In almost every enterprise, this would mean redirecting network security dollars to application security. Even if this approach makes perfect sense, there is no question budget re-allocation would meet fierce opposition. Nothing less than a paradigm shift in thinking, culture and regulatory design would allow this to come to pass. Unfortunately, I think it is nearly impossible for the masses.
2) Information security professionals would need to convince management to approve new additional budget dollars specifically for application security, without reducing other budgets. Ideally, these application security investments could be justified directly or indirectly to increased revenue or reduced costs. Ask yourself, how might application security investments contribute to new customer acquisition? Can the business increase its differentiation? Obviously this won’t solve the spending inefficiency conundrum, but we might be able to gain ground and close the gap using this approach. To do so we need more case studies and benchmarks to demonstrate how other organizations are investing.
Fortunately, from an industry perspective, these choices are NOT mutually exclusive. Each organization will of course have to find its own path. In a future post I’ll list out ways I’ve seen organizations justify application security budgets. In the meantime, if you have ways that you’ve found successful, comment below!
Continue reading The Application Security Spending Conundrum