[Weekly Viewing] You and Your Research & Ruby 2.0

This week we have another two videos lined up for you. The first, by Haroon Meer, I was luckily enough to see in person at Brucon 2011. It is one of the best talks I have ever had the privilege to see, by anyone. If you're ever going to watch one of these 'Weekly Viewing' videos of mine make it be this one. The second video is by Matz, the creator of Ruby, where he talks about Ruby's development and the new features of Ruby 2.0. In his talk Matz says that Ruby 1.8 will die soon. So update already! ;)

#HITB2012KUL D1T2 - Haroon Meer - You and Your Research

[Weekly Viewing] Web App Security and Zero Days

This is a first of hopefully many weekly posts in which I will share online security related videos that I've watched during the week and think are worth sharing. This week I've got two great videos lined up for your viewing pleasure.

[OWASP AppSec USA 2012] Effective Approaches to Web Application Security - Zane Lackey

In this video Zane Lackey from Etsy talks about how to make a developer's job easier by making things safe by default, how to detect risky functionality and how to automate aspects of web application security monitoring and response. Effective Approaches to Web Application Security - Zane Lackey from OWASP AppSec USA on Vimeo.

Sony Freedom Of Information (FOI) Request

On the 14th of January the UK Information Commissioner's Office (ICO) sent Sony Computer Entertainment Europe Limited a monetary penalty notice of £250,000 following 'a serious breach of the Data Protection Act'. To be able to quantify how much the ICO was fining Sony for individual user's data the exact number of UK PSN users would need to be known. A couple of sources put this number at 3 million but I'm not sure where the original 3 million figure came from nor how accurate it really is [0][1]. If we were to take this 3 million figure at face value, the ICO fined Sony (£250,000 / 3,000,000) £0.000083 per user's data. According to the ICO, £250,000 is 'reasonable and proportionate' in this case. To get a more accurate figure I sent the ICO a FOI request to ask for the redacted figure in the monetary penalty notice document which simply states "The Network Platform was used by an estimated REDACTED million customers in Europe, the Middle East, Africa, Australia and New Zealand with REDACTED million of those customers based in the UK.".

WordPress plugin Asset manager upload.php Arbitrary Code Execution

The 'Inj3ct0r Team' compromised an ExploitHub.com database and released a file publicly which contained some of the data about the exploits that ExploitHub buy and sell. I saw the file yesterday, had a quick skim over it, but didn't think too much of it. That is until WPScan team member @gbrindisi pointed out that it contained 2 WordPress plugin vulnerabilities.

Introduction to the WordPress XML-RPC API

WordPress 3.5 was recently released which now comes with the WordPress API "always enabled". Personally I think this adds unnecessary risk by increasing the attack surface. How many WordPress user's actually use the API? I would put my money on it being a very small fraction, either way I'm sure the WordPress Core Development team had good reason to enable the API by default. After spending 5 minutes looking for where to turn the API off in WordPress 3.5 I gave up. Huh, I'll have another look sometime soon. I've had a play with the API in the past, however, I've always found it hard to get going as the information on how to interact with the API is a bit sparse. Having played with it for an hour or so this evening I thought I'd share some of the information on how to get started (as well as a self reminder ;). The latest API calls can be found on WordPress's Codex here. It doesn't list all available calls, to find these let's extract them from the 'wp-includes/class-wp-xmlrpc-server.php' file.

Female hackers at Abertay University

Having completed a similar course at a different university, it is great to see that Abertay is attracting female students.

Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities

This is the paper that I submitted for my undergraduate dissertation in Ethical Hacking for Computer Security. The title (a mouth full) 'Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities'. The paper talks about software security, modern software development, software development life cycles, static code analysis and a lot more. Since submitting it I have noticed some mistakes so I'm not putting this out there as a 'perfect paper'.

The paper was the research and implementation of DevBug an online PHP Static Code Analysis tool written mostly in JavaScript.

Feel free to have a read through, I won't be making any future amendments as I was sick of looking at it by the time I submitted it but I thought I would put it out there incase it was useful to others in learning about software security. It is a bit dry in places, be warned!

Implementing Basic Static Code Analysis into Integrated Development Environments (IDEs) to Reduce Software Vulnerabilities

Top 5 Blog Posts

I've been running this blog now since November 2008. As the blog's 4 year anniversary is approaching I thought I would share with you the 5 blog posts which have received the most hits within that time.

1. DropBox Security - 20,494 hits
2. Introducing WPScan – WordPress Security Scanner - 13,012 hits
3. Setting up Tor on BackTrack - 10,538 hits
4. WordPress Brute Force Tool - 10,017 hits
5. [Interview] The Jester - 7,475 hits

Probably not my personal top 5 blog posts but, nevertheless, the ones that get the most hits. If you would like to guest post on ethicalhack3r.co.uk in Spanish, English or French get in contact!

Concrete5 5.5.2.1 Multiple Authenticated Cross-Site Scripting (XSS)

# Exploit Title: Concrete5 5.5.2.1 Multiple Authenticated Cross-Site Scripting (XSS) # Date: 2012-08-25 # Author: Ryan 'ethicalhack3r' Dewhurst (www.ethicalhack3r.co.uk) # Software Link: http://sourceforge.net/projects/concretecms/files/concrete5/5.5.2.1/ # Version: 5.5.2.1 1.Vulnerability Description Multiple authenticated Cross-Site Scripting (XSS) vulnerabilities were identified within Concrete5 version 5.5.2.1. Also reported were some cookie security improvements. The first Concrete5 advisory can be found here [1]. 2.Software Description CMS made for Marketing but built for Geeks, concrete5 [0] is a content management system that is free and open source. 3. Vulnerability Information

Sunday Ruby Coding: Caesar Cipher (ROT) Encoder/Decoder

It has been a rainy Sunday so I wrote a Caesar Cipher (ROT) Encoder/Decoder in Ruby to ease the boredom.

#!/usr/bin/env ruby

#
# Caesar Cipher (ROT) Encoder/Decoder - Ryan 'ethicalhack3r' Dewhurst - 05.08.2012
#

@alphabet = ('a'..'z').to_a

def encode(plaintext)
  plaintext = plaintext.gsub(/\s+/, '').downcase

  @alphabet.each do |letter|
    encoded_forward = ''

    plaintext_position = @alphabet.index(plaintext[0].chr)
    cipher_position = @alphabet.index(letter)
    position_difference = plaintext_position - cipher_position

    plaintext.split('').each do |char|
      encoded_forward += @alphabet.at(position_forward_count(@alphabet.index(char), position_difference)).to_s
    end

    puts "Shifted #{position_difference} to '#{letter}' - #{encoded_forward}"
  end

end

def decode(cipher)
  cipher = cipher.gsub(/\s+/, '').downcase

  @alphabet.each do |letter|
    deciphered_forward = ''

    cipher_position = @alphabet.index(cipher[0].chr)
    clear_position = @alphabet.index(letter)
    position_difference = cipher_position - clear_position

    cipher.split('').each do |char|
      deciphered_forward += @alphabet.at(position_forward_count(@alphabet.index(char), position_difference)).to_s
    end

    puts "Shifted #{position_difference} to '#{letter}' - #{deciphered_forward}"
  end

end

def position_forward_count(current_position, position_difference)
  position_total = (current_position + position_difference)
  position_total > 25 ? position_total - 25 : position_total
end

puts '[Decode]'
decode('W KHTXLFNEUZQ IRA MXPSVR  YHU WKH ODCB GRJ')
puts '[Encode]'
encode('plaintext')

Freedom of Speech on Social Media

There have been many cases recently where people in the UK have been arrested under the Malicious Communications Act 1988 as well as others such as the Communications Act of 2003 and the Terrorism Act 2006 for what they have said on social media web sites such as Twitter or Facebook. Paul Chambers seems to have been the first in the UK to be arrested for what he said on Twitter in 2010. He later appealed and recently had his conviction quashed. Some of these UK cases include: Tom Daley Twitter abuse: Police arrest boy in Weymouth Man arrested after airport bomb joke on Twitter Twitter users in incitement arrest warning after riots Cyber cops arrest man, 61, for menacing chick-lit MP UK Riots 2011: Police Arrest Three Individuals For Attempting to Incite New Riot Flash mobs or splash mob? UK man arrested for planning water pistol fight. Tory is arrested for Twitter call to kill columnist Scottish teens arrested for posting on Facebook

StaticBurp - Burp Suite potential DOM XSS Analysis

A few weeks a go I had an idea. When I get ideas that I think have something worth while in them I note them down for future reference. The three main points to get this working were:
  • Take Burp response body.
  • Extract JavaScript.
  • Perform Taint Analysis.
  • The first step was to somehow extract HTML responses from Burp Suite, luckily someone had already written a Ruby Burp extender called Buby. I followed this awesome series of blog posts to get myself aquatinted with Buby. The next step is to extract the JavaScript from the HTML responses, this is quite trivial to do with the Nokogiri Ruby gem. The third step is to analyse the extracted JavaScript for Sinks, Sources and Securing functions (Taint Analysis). This was the hard part, for me at least. Finding this information proved to be hard, I did find some data, however, in the end this is where I stopped pursuing my idea.

    DevBug - PHP Static Code Analysis

    My final year university dissertation was on the topic of Static Code Analysis, specifically the integration of IDEs (Integrated Development Environments) with Static Code Analysis. The idea was to make Static Code Analysis accesible to the developer, without them having to install and use additional specialist Static Code Analysis software. Due to my familiarity with PHP and its lack of interpreter taint analysis I decided that I would write a PHP Static Code Analysis application. The PHP Static Code Analysis tool I developed is called DevBug, it is an online PHP Static Code Analysis tool written mostly in JavaScript (jQuery). The Static Code Analysis engine uses the sources, securing functions and sinks data from the awesome RIPS Static Code Analysis tool to identify specific PHP functions that can cause or remediate user input caused vulnerabilities. DevBug uses Taint Analysis to identify tainted variables, follows the tainted variables through the code, untaints the variables if they are secured and finally detects whether or not tainted variables end up in in sensitive sinks. The IDE used is called CodeMirror that provides a code editing area, syntax highlighting, line numbering and an API. CodeMirror was slightly modified to detect deprecated PHP functions and highlight them.

    Old School hacking

    Back in the late nineties, around 1999, my mother bought me my first computer. Around this time The Matrix movie was released which as a young boy with a new computer had me Yahoo'ing (Google was largely unknown) for the term 'hacking'. Back then Yahoo! Chat was still around and had a chat room called the 'Hackers Lounge', everyone in there was talking about all sorts of cool things you could do with computers that I had never heard of before. With hindsight, most of the people in the chat room were script kiddies who knew how to run a few Windows GUI 'hacking' tools and largely acting like they were the kings of the Internet. At the time I wanted to learn about all of the cool things they knew. I started downloading and learning how to use these 'hacking' tools by the use of my guinea pig friends and family (my siblings soon grew tired of me remotely opening and closing their CD-ROM drives). Some of these tools are still actively developed and used today, invaluable to conducting modern Penetration Testing and security audits. For the sake of nostalgia, I present to you some of the coolest most 1337 'hacking' tools that I and others used 'back in the day'. Warning: Download links not verified. Legion by Rhino9 Use: Windows Null Session share scanner. Released: 1999 Platform: Windows Further Info: http://www.informit.com/articles/article.aspx?p=26263&seqNum=5 Download: http://packetstormsecurity.org/files/14711/legion.zip.html Legion Rhino9

    Wireless Man In The Middle (MITM)

    This is a recent piece I did for the BBC Inside Out program that originally aired on February 6th. In the video I demonstrate a wireless Main In The Middle (MITM) attack in a coffee shop using a FON+ wireless router, Karma and Jasager. Oh, and they're the ones who call me an 'expert', personally, I hate the term and would never call myself one.