Monday, 29 January 2018

How can Insecure CORS lead to a biggest security threat for your application?

HOW CAN INSECURE CORS LEAD TO A BIGGEST SECURITY THREAT FOR YOUR APPLICATION?

WHAT IS THE MEANING OF AN ORIGIN?

Two websites are said to have same origin if both have following in common:
  • Scheme (http, https)
  • Host name (google.com, facebook.com, briskinfosec.com)
  • Port number (80, 4657, 7777)
So, sites http://example.com and http://example.com/settings have same origin. But https://example.com:4657 and http://example.com:8080/settings have different origins.
The ‘Same Origin Policy’ restricts how a script loaded from one origin can interact with a resource from another origin. It is an important built-in security mechanism for browsers for isolating potential malicious scripts.

WHAT IS CROSS ORIGIN RESOURCE SHARING?

It is the need of Web 2.0 to share resources across origins. Following are some examples:
  • Cross Origin Writes: A website can POST data to an endpoint of another website.
  • Cross Origin Embedding: A website can refer images from another website using <img src> tag. Also, an iframe using <iframe src> tag can be embedded if the source website allows it.
Apart from the above two scenarios, when one website reads data from another website, it is called as ‘Cross Origin Resource Sharing’ aka CORS.
CORS is a W3 specification that allows cross domain communications from the browser. It works by adding new HTTP Headers that describe the origins that are allowed cross domain information sharing.
In other words, CORS is used to relax the ‘Same Origin Policy’ for legitimate and trusted requests. It is an essential feature of Web 2.0 to support APIs that are exposed via web services to be accessible.
 Some noteworthy example of web applications supporting CORS: Google, YouTube, Flickr.

TWO MOST IMPORTANT CORS HEADERS:

  • Origin: It is set by browser in every CORS request. Its value is the domain name from which the request originates.
  • Access Control Allow Origin: It is set by server in every CORS response. Depending on its value, the browser decides if the response is allowed or not. It can be set to * (also called the wildcard character) to make resources public (However, this is not a good practise).

PRE-FLIGHT REQUEST

A pre-flight request is just a normal HTTP request that happens before the actual cross-domain communication. The logic behind this is to ensure the client and server are fully compatible (protocol, security, and so on) with each other before the data is actually exchanged. If they are not, then the relevant error is raised.
Please keep that in mind that a pre-flight request only triggers if:
  • Custom HTTP headers are sent
  • The body MIME-type is different than text/plain
  • The HTTP method is different than GET or yuPOST
The following is a typical pre-flight request-response pair:
Request:
   OPTIONS / HTTP/1.1
   Origin: http://api.user.com
   Access-Control-Request-Method: PUT
   Host: api.example.com
   Accept-Language: en-US
   Connection: keep-alive
   User-Agent: Browser
Response:
   HTTP/1.1 204 No Content
   Access-Control-Allow-Origin: http://api.user.com
   Access-Control-Allow-Methods: GET, POST, PUT
   Content-Type: text/html; charset=utf-8

SIMPLE REQUEST

A simple CORS request is similar to a pre-flight request without the initial capability exchange sequence occurring. In a typical simple CORS request, the following sequence happens:
Request: http://example.com  – Origin A
Response: http://cdn.briskinfosec.com – Origin B
  1. Origin A attempts to access the home page of a CDN running at origin B, http://cdn.briskinfosec.com , using CORS.
  2. Origin A sends a GET request to the Origin B web server.
The Origin B server responds with Access-Control-Allow-Origin.

A SCENARIO TO EXPLOIT CORS VULNERABILITY:

In this demo we are going to use a vulnerable intranet application which has a secret located at ‘secret-cors-3.php’. It has an Admin who accesses it from his local environment. Its URL is: http://127.0.0.1:80/bwapp/.
As it is an intranet application, the attacker cannot interact with it remotely. Our goal as an attacker will be to capture the secret (from a remote internet location) by exploiting CORS vulnerability.

THE EXPLOITATION:

  • The attacker hosts a website containing the malicious script for cross domain interaction.
  • Victim i.e. the Admin of the intranet website visits the attacker’s website. Location http://127.0.0.1:4567
  • Response is received from the attacker’s website containing the following malicious payload:
  • As soon as the web page is loaded, ‘makeRequest’ method is called. The method initiates a cross domain request to capture the secret, to the vulnerable intranet application located at ‘http://127.0.0.1:80/bwapp/secret-cors-1.php’
  • It fetches the response and stores it in the variable ‘secret’.
  • The ‘Access-Control-Allow-Origin’ has value set to *. So, the malicious script now has the payload and it simply issues a GET request to the attacker’s web server. Attacker hosts another web server at location: http://127.0.0.1:7777
  • Meanwhile, attacker monitors the logs of that web server. The payload gets executed and the logs receive the secret.

HOW TO MITIGATE IT?

  • ‘Access-Control-Allow-Origin’ should be never set to * if the resource contains sensitive information.
  • The mitigation is simple and just a proper configuration. Configure the Access-Control-Allow-Origin header to allow requests only from the domains that you trust. For e.g.: Access-Control-Allow-Origin: Saurabh.com. The below image illustrates that the CORS attack does NOT get executed when the server is configured with correct ‘Access-Control-Allow-Origin’ instead of a ‘Wildcard’ character.
  • Make sure that in server side validation for checking the origin header value, you are comparing with absolute value and NOT with regular expression.
  • For example: The following code does a comparison with regular expression:
RegEx(“^https://mail.example.com$”)
In the above validation, dots (.) mean any character. So, an attacker can bypass it by making the CORS request origin from following domain: https://mailxexample.com
The patched code will be:
            if($_SERVER[“HTTP_ORIGIN”] == “https://mail.example.com”)
                    {
                        header(“Access-Control-Allow-Origin: https://mail.example.com”);
                    } 
  • Client should not trust the received content without sanitization because that will result in client side code execution. For example: If website abc.com trusts and fetches cross domain data from example.com. example.com has a malicious intent and starts sering malicious javascript to abc.com, then abc.com can protect its users from cross site scripting by sanitizing the received data and then presenting it to its users.

WHAT IF THE ORIGIN HEADER IS SPOOFED?

The point of origin header is not to protect the resources on the server, that task is up to server itself. Origin header is to protect the user. Following scenario demonstrates it:
  • An attacker Charlie creates a malicious website M
  • User Alice is tricked into visiting website M which tries to perform CORS action on server example.com that supports it.
  • The domain example.com will be listed in website M’s list of allowed domains. So, the request will be rejected.
  • The important point here is that M cannot spoof the origin header because the request is initiated from Alice’s browser.
  • This can be done by Alice using a local proxy tool. But why would a victim hack himself, so this scenario is not real.
Another way, an attacker can do this, is by intercepting the request being a man in the middle. But if the attacker has access to the traffic, then capturing cookies and session ID are better options rather than changing the Origin header.

OWASP CATEGORY FOR CORS VULNERABILITY:

This vulnerability falls under to the category of ‘Security Misconfiguration’ of OWASP Top 10. The HTTP response header ‘Access-Control-Allow-Origin’ is not configured correctly and this creates the issue.

REFERENCES:

We have discussed about what CORS is and how to exploit CORS vulnerability in the web application and API web services .It is important to   verify that the CORS are configured properly. As a p part of web application   we need to make sure the shared resource are secure and HTTP headers haven’t tampered. A CORS Exploitation can cause great consequences letting sensitive data to compromise.
BriskInfosec provides the best web application and API security test.  Discover the reason to conduct Application Security test with us.
Reach us – Contact@briskinfosec.com
Author
RadhaKrishnan
Security Engineer
BriskInfosec Technolagy and Consulting PVT LTD
https://www.linkedin.com/in/radhakrishnan-r-209607111/

Wednesday, 10 January 2018

How serious is Cross-site request forgery (XSRF or CSRF)?



 Brisk Blogs 

HOW SERIOUS IS CROSS-SITE REQUEST FORGERY (XSRF OR CSRF)?


Cross-site request forgery is attacking website as a legitimate and trusted user that tricks the victim submitting a malicious request. An attacker may forge a request to log the victim into a target website  CSRF, this could even lead to further damage.
The attacker often takes advantage of the fact that the user is already authenticated, but with some types of this attack. Impacts of successful CSRF exploits vary greatly based on the privileges of each victim. When targeting a normal user, a successful CSRF attack can compromise end-user data and their associated functions. Utilizing social engineering, an attacker can embed malicious HTML or JavaScript code into an email or website to request a specific ‘task URL’. The task then executes with or without the user’s knowledge, either directly or by utilizing a Cross-Site Scripting flaw  It is imperative that no XSS vulnerabilities are present to ensure that CSRF defenses can’t be circumvented
As a webmaster, however, you should not assume that you are protected from CSRF attacks when you see anti-CSRF tokens used in your web applications.

BURP SUITE:

Burp Suite is an integrated platform for performing security testing of web applications Burp to test the security of their applications. Some of Burp’s more advanced features will take further learning and experience to master It is not a point-and-click tool but is designed to be used by hands-on testers to support the testing process.
It was developed to provide a comprehensive solution for web application security checks. In addition to basic functionality, such as proxy server, scanner and intruder, the tool also contains more advanced options such as a spider, a repeater, a decoder, a comparer, an extender and a sequencer A penetration tester configures their Internet browser to route traffic through the proxy which then acts as a sort of Man In The Middle by capturing and analyzing each request and response to and from the target web application.
Step: 1 Here how to test CSRF test manually configure burp suite with your browser
Step: 2 Take authenticated web application Testing Site  You can log in using the credentials test:test.
Step 3: Then value in the field you can change the name email ID PH: NO Example Name Open Burp Proxy open the Tab Intercept On
Step: 4 Update the filed Submit the request so that it is captured  Burp Proxy  the Raw
Step: 5 Right Click Go to Engagement tools Generate CSRF PoC Option
Step : 6 PoC Generated Copy the HTML Open Note pad paste the HTML

Step:7 Modified the data As Test Username Email ID abc@gmail.com
Step: 8 Then Save It has test.html Open another browser login the Test site as test user click and Open the Test.html file submit the request

Step: 9 Attack has been successfully accounting information has been changed serves as an initial check to verify whether the attack is possible web application has been altered. A successful attack shows that the web application is vulnerable to CSRF
Cross-site request forgery is an understated attack technique that can be exceedingly deadly. In some cases it can lead to the complete compromise of a web-based system. We at BriskInfosec take care of the complete   web application security   testing helping the developers to develop their website and application in a secure manner.
For further information please feel free to get in touch with us @ Contact@briskinfosec.com

AUTHOR

Surya
Security Engineer
BriskInfosec Technology and consulting PVT LTD

Thursday, 4 January 2018

TOP ARTIFICIAL INTELLIGENCE TRENDS IN CYBER SECURITY


TOP ARTIFICIAL INTELLIGENCE TRENDS IN CYBER SECURITY

Artificial intelligent is defined as the study of intelligent agent and devices that perceives the environment around and takes some actions for its chance of success at some goals and it also plays an important role in all fields AI robots are one of the major invention in recent years it takes the actions, control and activities of human environment and replicates the same and AI can encompass anything from google search algorithm
In Today’s Artificial Intelligence made to perform a narrow task it’s meant to drive a car by its own but when compared to narrow AI Many researches plan to create a general (AGI or strong AI) because the narrow AI can perform each and every task of the human and it may also lead to some dangerous activities it plays a major drawback on creating a narrow AI

ADVANTAGES OF ARTIFICIAL INTELLIGENCE:

Artificial Intelligence is used in a complicate mixture of computer science, Mathematics and other complex sciences major advantage of artificial intelligence as follows
  • Error Reduction
  • Difficult Exploration
  • Daily Application
  • Digital Assistance
  • Repetitive jobs
  • Medical Application
  • No Break

ERROR REDUCTION:

It is mainly used to detect and minimize the errors and also executes the result at higher accuracy and AI helps us to study about the concept involved in the exploration of space and AI created robots are used to transfer information across the space and robots transfers the information’s to the space are highly secured and they cannot be modified or copied by a normal human

DIFFICULT EXPLORATION:

It involves the science of robots, process of mining and other fuel exploration purposes and it acts not only in the complex behavior but also in the exploration of space due to its programming ability it can performs the process more than human’s behavior
In Mining AI places an important role to detect the exact place for digging to find out the non-artificial products like the coal, gold, silver and research made by the Goldcorp team up with the IBM Watson to develop an advanced feature by AI to find out the Non Artificial product locations
Reference Link: https://www.techemergence.com/ai-in-mining-mineral-exploration-autonomous-drills/

DAILY APPLICATION:

Computed Methods for Automated testing, Learning, reasoning and our other daily activities lies under AI. Cortana and Siri are used as a Virtual Search engine to help us out, tracking software like Map and cab booking are worked under GPS. Smartphone are on the perfect example for artificial intelligence, security chips placed in the ATM card follows AI to secure themselves from fraud

DIGITAL ASSISTANCE:

Highly advanced Organization used ‘avatar’ to minimize the work of humans and interacts with the clients and performs the task based on their requirements and many peoples started to use the robots in hotel for serving purpose and google lens is an another advanced method to connect with internet without the authentication process

REPETITIVE JOBS:

Repetitive jobs are monotonous in nature and it can be used in the purpose of machine intelligence and the machine thinks faster than humans in our life Machine Intelligence can assigned to perform some dangerous tasks because we can set some parameters for robots to perform their action it process the working methods in a secured manner and executes a better results than humans, Play Station is one of the best example when we are playing the one component is user and the another component is the AI and it capture the movement of the user and displays the same actions on the screen

MEDICAL APPLICATION:

In Medical field Doctor’s assess the patient and their health risk by the method of artificial intelligence and it guides the patient to be aware from medicine side effects, it finds a huge application in detecting and finding the neurological disorders and it capture the actions performed by the brain and nowadays in medical application it’s been developed to the digital body scanning (to scan over your whole body) in an automated manner.
Reference Link: https://www.youtube.com/watch?v=DCtAxUB1bvI

NO BREAK:

Machines unlike humans do not requires frequents break and refreshments they are performed for long hours and can continuously perform without getting bored or distracted or even tired

DISADVANTAGES OF ARTIFICIAL INTELLIGENCE

  • High Cost
  • No Replicating humans
  • No improvement with experience
  • Unemployment

HIGH COST:

Creation of the Artificial Intelligence machines or robots charges high cost when compared to the other automated machines and the repair and maintenance require high cost and AI also needs some upgrades to develop its level day by day and when the AI machine gets breakdown or any maintenance report leads to high cost to recover the codes (or) to repair the machine so it considered to be the major drawback of Artificial Intelligence

NO REPLICATING HUMANS:

Machine do not have emotions it leads to the drawback of AI because at certain situations they do not know to take the correct decisions at a specific time. The either perform incorrectly or breakdown in such situations

NO IMPROVEMENT WITH EXPERIENCE:

Unlike humans artificial intelligence cannot be calculates its experience based on its time they are different from humans and AI stores lots of data but it fails to access at time when it is needed and it does not any care or emotional feeling like human and it’s one of the drawback of AI from humans, they fail to distinguish between the hardworking individual and inefficient individual

UNEMPLOYMENT:

Replace of humans with machines lead to the large scale of unemployment and Unemployment is one of the most socially undesirable phenomenon and Humans are becoming lazy nowadays and they started to use machine to complete their work and this lead to the unemployment of many peoples and if humans starts thinking in a destructive way it leads to the create havoc with this machine, when artificial intelligence takes plays in a destructive way it leads to any kind of massive destructions in the world

ROLE OF AI IN CYBER SECURITY:

Machine Learning and artificial Intelligence plays an important role across industries and applications that has been used for computing power, data collections and analyzing against vulnerabilities etc.
By using AI we can perform any kinds of exploits and it detects the vulnerabilities in an easier and automated way in many cyber security organization’s employees were started to Learn AI and Machine Learning to develop their standards to next level in Artificial Intelligence

 TOP TRENDS IN CYBER SECURITY:

GDPR (GENERAL DATA PROTECTION REGULATION):

It’s mainly prepared for the European Union’s, of how to store your personal Data in a secured manner and it also mainly created for the EU Citizens because they are not complete with it and many Organization are expected to start GDPR for May.

AI AND MACHINE LEARNING ON CYBER DEFENSE:

AI and Machine learning plays an important role in cyber defense and machine learning modules detects the exact moves of the cyber security criminals and it helps the InfoSec professional’s in a greater way

HANDLING DATA BREACHES:

It’s impossible to eradicate data breaches completely and many organization’s started to control data breaches with some condition’s through monitoring IOT Devices to get control from DDOS attacks or misdirecting potential victim’s and failing to patch a known vulnerabilities and we can hope that the data’s could be  entirely controlled in the upcoming years

DEVELOPING A COMMON LANGUAGE:

There is a positive growth of development in cybersecurity realm and not least the creation and adoption of thing’s like NIST Cybersecurity framework and more cybersecurity experts and organization’s planning to develop a common language in the field of cybersecurity to make the process easier.

APPLICATION TESTING:

Application testing leads to the large amount of the data breaches because the security testing in application’s are not properly maintained and to control these everyone should put a  fresh efforts into patching and app testing in the coming year, and by this we would see a dramatic drop in data breaches.

ARTIFICIAL INTELLIGENCE TOOLS:

  • Google Now
  • Intelligent Personal Assistants
  • Crystal knows
  • Textio
  • Enlitic
  • Digital Genius
  • TAMR
  • Intraspexion
  • Recorded Future
  • Conversica

COMPANIES TRIES TO IMPROVE AI IN CYBER SECURITY:

AI FOCUS ON MALWARE:

AI Mainly focus on malware rather than exploits it checks for every suspicious file within the folder or checks by CPU instructions and or by API imports and AI can detect the malware by certain limitations in Memory or by I/O Operations and AI focus starts from the exploitation if any malware is sent to the computer it starts from the exploitation and later it can be passed through malicious shellcode can be passed through browser or by Microsoft office (or) Adobe Reader and finally in Malware AI Detection AI detects the malware by checking its memory level and by I/O operations Once they are not up to its level they are considered to be the malicious one.
After Malware detection AI can also be bypassed using AI Evasion techniques and by this process it redirects its way by detecting against AV and bypasses the malware detection on AI and here by using this techniques the AI fails to detects the malware and they are been explained as follows.
But Still Now AI Fails to detect the Zero Day Attacks and they are many methods are been developed on AI to detect advanced threats and Zero Day but it fails but the development on detecting Advanced level threats are going on in Progress

SUB INDUSTRY ARTIFICIAL INTELLIGENCE:

Artificial Intelligence statistics across every industries is been described in the above figure

BOOKS ON ARTIFICIAL INTELLIGENCE:

Reference Link: http://bigdata-madesimple.com/20-free-books-to-get-started-with-artificial-intelligence/

CONCLUSION:

As cyberattacks become more sophisticated, cybersecurity teams are tasked with adapting their technology to find new anomaliesOrganizations face millions of threats each day making is impossible for a security researcher to analyze and categorize them. This task can be done by using Machine Learning in an efficient way.
However, a more efficient cybersecurity process can help reduce costs and help streamline the process. Artificial intelligence and machine learning can rapidly and efficiently detect threats, resolve them, and prevent them in the shortest amount of time possible with the greatest potential for resolution.

AUTHOR

RamKumar
Security Engineer
BriskInfosec Technology and Consulting PVT LTD
Follow me @ https://www.linkedin.com/in/ram-kumar-3439b511a/

Wednesday, 3 January 2018

YSO – Opensource MOBILE SECURITY FRAMEWORK

YSO – OPENSOURCE MOBILE SECURITY FRAMEWORK

YSO is the Mobile Security Framework and they are capable of performing Static and Dynamic analysis on mobile Applications and Its supports only APK (Android) and IPA (IOS) files and they are various tools used to decompile, debug and code review in mobile app testing and it consumes lot of time and by this framework we can able to check over various mobile issues like
  • Insecure Data Storage
  • Insecure Communication
  • Insecure Authentication
  • Certificate Pinning
  • Backup Data’s Enabled etc.
The above issues are the major mobile issues that are occurred in a common way
In Static Analysis it used to detect automated Code review, insecure Permissions, Configuration issues, and it also detects over insecure code like SSL overriding, SSL bypass, weak crypto, obfuscated codes, improper permissions, hard coded secrets, improper usage of dangerous APIs, and leakage of sensitive/PII information.
In Dynamic Analysis is slightly difficult to configure it mainly runs on the VM or on a configured devices and detects the issues at run time and Further analysis is done on the captured network packets, decrypted HTTP traffic, dumps, logs, etc.
This tool is highly scalable by which you can add your custom rules in easy use and you can use this framework results as a source to detect the mobile application issues manually and finally the overall report gets saved on the required folder that you are selected.
Requirements:
Notes:

STATIC ANALYSIS APK RESULTS:

CERTIFICATE ISSUE:




Static Analysis in IOS result:

CONFIGURING STATIC ANALYZER:

Tested on Windows 7, 8, 8.1, Ubuntu, OSX Marvicks
Install Django version 1.8
Pip install Django==1.8
Here I have installed Django in Linux
Django is one of the Web application Framework that used to make the process easier because it has some automated tools in-build so it executes the result at short interval of time
YSO Framework Configuration in Linux:
I have configured the YSO Framework and configured the server and
Configuration Linkhttp://127.0.0.1:8000/
Once you have entered this URL in your browser U’ll get a Page as follows

YSO EXECUTION ON BROWSER:

Here In this Framework you can upload a particular APK file OR IPA File that you are going to test and it executes the result as in the above figure

CONCLUSION:

From this Blog we have discussed above the installation, Configuration and working Method of YOS Mobile application Framework and we also discussed the results executed for a particular APK or IPA files.
YSO Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. We’ve been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. YSO Mobile Security Framework can be used for effective and fast security analysis of Android and iOS Applications.
BiskInfosec provides the best mobile Security solutions. For further doubts and security solution advices reach us @ Contact@briskinfosec.com

AUTHOR

RamKumar
Security Engineer
BriskInfosec Technolagy And consulting PVT LTD
follow me @https://www.linkedin.com/in/ram-kumar-3439b511a/