Category: Web Application Security

Burp Suite Keyboard Shortcuts!

If you use Burp Suite a lot then you’ll no doubt love the interface – moving between tools is really fast and the interface is just friendly; however I recently heard someone complaining that it’s annoying that it’s mouse-only and you can’t use hotkeys to swap between tabs and move between tools…but you can!

Continue reading: Burp Suite Keyboard Shortcuts!

SOP: Same-Origin Policy Basics

Same-Origin Policy (SOP) is a critical part of the security implemented within a web browser. It’s the part of your browser’s security system that prevents malicious pages from reading confidential information from other sites. So thepiratebay.com can’t read data from barclays.com because it’s blocked by SOP.

Continue reading: SOP: Same-Origin Policy Basics

A Vulnerability in Apache Struts

CVE-2014-0094 and CVE-2014-0050

Struts is an extensible framework used for creating enterprise Java Web Applications.

In Struts 1.x there is a problem related to how the ActionForm bean population machanism works, whereas in Struts 2.x there is an issue in how ParametersInterceptor allows access to the ‘class’ parameter that is directly mapped to the getClass() method and allows ClassLoader manipulation. Long story short, this can allow attackers to execute arbitrary Java code remotely.

This issue was believed fixed in March 2014 (Apache Struts Security Bulletin S20-020), however on April 24, 2014, the Apache Software Foundation released an announcement warning that the original issued patch for the vulnerability in Apache Struts up to version 2.3.16.1, did not fully patch the vulnerability.

Affected

Apache Struts <= 1.3.10 and 2.0.0 – 2.3.16.1

Proof-of-Concept

One way to manually discover this vulnerability is to attempt to cause a strong class error in the parser, this should not cause any harm to the server but should prove the existence of this issue, by showing a 500 error. The following payloads can be supplied to GET and POST parameters:

 

Tomcat 7: “Class[‘classLoader’][‘resources’][‘dirContext’][‘cacheTTL’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”

Alternatively, the following payload will have a similar effect:

Tomcat 7: “Class[‘classLoader’][‘resources’][‘cacheObjectMaxSize’]=foo”
Tomcat 8: “Class[‘classLoader’][‘resources’][‘context’][‘effectiveMajorVersion’]=foo”

 

Further Reading

http://struts.apache.org/release/2.3.x/docs/s2-020.html
http://struts.apache.org/announce.html#a20140424

 

CRIME against TLS?

Compression Ratio Info-leak Made Easy

CRIME is an attack against SSL, like Heartbleed, but it has a much smaller probability of exploitation. The authors of CRIME also wrote the BEAST attack. The attack can allow an attacker to recover web cookies and thereby perform session hijacking attacks, much like BEAST and the specific restrictions for the attack are similar. The attacker requires the ability to repeatedly inject predictable data whilst monitoring the resulting encrypted traffic. This requires the attacker to achieve two main prerequisites before the attack is possible: the attacker must be able to observe network traffic and manipulate the victim’s browser to submit requests to the target site.

The manipulation could be possible through Cross-site scripting attacks; JavaScript is not required and an attack could be possible with HTML Injection alone however it would be less efficient.

For CRIME to be possible the server must support compression of the request before encryption. TLS supports DEFLATE which is vulnerable, as is SPDY. The client must also support compression but only a small percentage of browsers do.

What is BEAST?

Browser Exploit Against SSL/TLS

BEAST is an attack against SSL/TLS which is the cryptographic system that protects data sent online. A practical attack was found to be possible against TLS v1.0 and SSLv3.0 (and below). The issue is that the Initialisation Vector (IV) utilised as part of the encryption process can be determined by an attacker. IVs are utilised to prevent encrypted data from being deterministic, they essentially make it harder for attackers to determine patterns in encrypted data. Without them if a repeating pattern is evident in the plaintext then it will be evident in the ciphertext and this type of informations is greatly useful to an attacker. IVs are designed to prevent this, however with the BEAST attack they are shown to be deterministic which greatly reduces their use as a protection mechanism.

It reduces the protection but the deterministic nature is of limited use to an attacker and they are only able to retrieve small amounts of information from the encrypted data, however with attacks against web applications small amounts of data can cause a large impact – if an attacker is able to retrieve information such as session tokens.

Continue reading: What is BEAST?