Monday, February 25, 2008

So I was messing around with Ruby...

As I try to learn a bit more about Ruby I was playing with the number objects. For some reason I wrote this....

98.downto(1) { | i | print "#{i.succ} bottles of beer on the wall, take one down pass it around #{i} bottles of beer on the wall\r\n"}

Maybe I had a flash back to my childhood or maybe I was just bored and had to write something semi-funny. Anyways it sure makes the song go by quickly.

Labels: ,

Monday, February 11, 2008

Follow-up to hackable hacking contest...

It has been a few days since I posted about the hackable hacking contest.  I wanted to give you guys a few days to play around to see if you could find the bug.  In this post I am going to go through the bug and how it works.  I am also going to touch on ways that they could have coded it so this wouldn't have happened (there is a small satisfaction in finding these issues, but creating a proper fix is much more fun in my opinion). 

Scenario:  
This hacking contest checks to see how proficient you are at XSS.  It then looks for a specific value to see if you successfully found the bug.  

Initial Investigation: 
When first going to the site I did the first step just to see how the application normally worked.  No big deal.  However, when you look at the HTML you will see that there is a javascript file called "script.js".  What does script.js look like?


eval(function(p,a,c,k,e,r){e=function(c){return(c35?String.fromCharCode(c+29):c.toString(36))};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('e=7.4;6=0;f g(a){7.4=e;8(a==5.h){8(6==0)6=1;4(a);7.u(\'j()\',v)}k{4(a);4("w x 5.h!!")}}7.4=g;f j(){8(6==1){6=2;3="";o=z(5.9("A").B);C(l i=0;i< o.d;i++){l y="o.E(i);3+=F.G(y-1)}3=H(3);8(3=="I"){m="\\J\\K";5.9("c").n="< b" p="\'q\'">r!! &d; "+"L M. &d;T U."}k{5.9("c").n="r!! &d; "+"V W "+3+"."}5.9("c").X.Y=""}}',61,61,'|||ty|alert|document|ok|window|if|all||span|msg|nbsp|orgAlert|function|newAlert|domain||nextstg|else|var|sj|innerHTML||id|h3|Congratulations|href|x6e|setInterval|500|Please|use||unescape|key|value|for|length|charCodeAt|String|fromCharCode|escape|ending|061|071|The|End|x52|x61|x6b|x49|x67|php|show|ranking|Next|stage|style|display'.split('|'),0,{}))

Pretty ugly, eh?

By looking at the code we see that it is obfuscated by using a packer function. An easy way to get around this is to replace the eval call with alert. You can simply do that by putting javascript: in your browser pasting in this long string of javascript and replacing eval with alert. It would look something like the below screen shot.

You will then get an alert box.  While the alert box is up hit ctrl  + c (or splat + c if you are on a mac) so we can get the javascript on to the clipboard.  It is a bit ugly still so use a JavaScript beautifier and then we can start reading.  

orgAlert = window.alert;
ok = 0;
function newAlert(a) {
window.alert = orgAlert;
if (a == document.domain) {
if (ok == 0) ok = 1;
alert(a);
window.setInterval('nextstg()', 500)
} else {
alert(a);
alert("Please use document.domain!!")
}
}
window.alert = newAlert;
function nextstg() {
if (ok == 1) {
ok = 2;
ty = "";
o = unescape(document.all("key").value);
for (var i = 0; i < y =" o.charCodeAt(i);" ty =" escape(ty);" ty ="=" sj = "\061\071" innerhtml = "Congratulations!!   " the="">show ranking."
} else {
document.all("msg").innerHTML = "< span id='h3'>Congratulations!!   " + "Next stage " + ty + "."
}
document.all("msg").style.display = ""
}
}

Ahh much better!

Hmm, now this code looks interesting. Lets figure out what it is doing. The first line of code holds the original alert method call in a variable and then a few lines down we see they are overriding the original alert with their own function "window.alert = newAlert;." For those new to JavaScript might be a little confused. But the beauty and curse of JavaScript is that it is possible to overwrite any method or class with your own. 

The newAlert function is where things go south. This method is called whenever a page gets an alert and then checks to see if the text for the alert is "document.domain" if so it will call the nextstg method which will display a link to the next stage so a user can advance. 

The Attack:
What happens if we let the page load and then manually execute some JavaScript? Oh look we pass the stage. All we have to do is put the following string "javascript:alert(document.domain)" into the address bar after the page loaded. That is it we are done and we can now look like we are all l33t without actually knowing anything :).

Some other interesting tidbits about this contest:
1) Every page they name it differently so a person can't just guess the page name.
2) They use lame obfuscation to store the next page name in the "key" hidden form field.

General Testing Strategies Used:
1) We used the site briefly to see how it is supposed to operate under normal usage.
2) We looked at the client-side code and the public interface exposed to people via the browser.
3) Seeing that there was some JavaScript we should exercise. We used the javascript protocol handler in the browser to execute the JavaScript on the current page to see what would happen.

Possible Fix:
A proposed fix that I would do is since this is a controlled environment and the contest is looking for a specific test. We could hold in a database or in a file that was not directly accessible via the web of the patterns we are expecting for each stage. This would allow for the contest to continue but make it much harder to attack. The only hard part is if someone knew a different pattern that allowed for the same attack to happen. This might happen. But one would hope that if you are writing this contest you know the majority of the variants :).

Labels: ,

Saturday, February 09, 2008

Does knowing ____ mean you understand ____?

If someone knows a certain thing does that mean they understand a related idea and/or concept? For example if someone knows how to speak English does that mean they understand proper sentence structure? Or, does knowing a set of programming APIs mean you understand the software development life cycle? This is not the case - at least in my experience - there have been way too many examples of people doing things without understanding the underlying concept/theory/principle. But wait isn't there a balancing act on this matter? Most people don't need to know sentence structure. I mean would you teach your four year old sentence structure before learning to speak and write? I don't think so.

Yet many people judge or will give people different amounts of clout depending on their background. I think this happens because of our primitive survival instinct (i.e. will this guy kill or help me?). How does this affect our day to day lives though? Since 99% of the time now we are hopefully pretty safe.

We also apply these types of judgments when we interview people for different jobs. When you think about it a job interview is basically a pro-longed snap judgment. Usually a potential employer is given 30-60 minutes to figure out if the candidate:

* Fits with the team
* Has the necessary skills
* Is not completely off his rocker
* Why they decided to come here and try and convince you to give them money

An employer needs to give some type of litmus test to the candidate to figure out the answer to these questions. This is where it gets challenging, IMHO. From my experiences in the technology field very few companies will test you on general information and/or skills that transcend a specific technology for example:

* What separates a good person in a position from the bad?
* How do they keep up with the latest technology in their field?
* If they have knowledge in related areas that will help them succeed?

Instead the majority of people focus on questions like:
* Do you know API X?
* Do you know technology X?
* How many years of experience do you know in X?
* How does one do X in technology Y?

What does this tell an employer? It tells them if they know X but does that mean they understand the underlying idea/concept? Granted an employer needs to ask the question first on if the candidate even needs to understand the underlying concepts for the particular job. We will make the assumption that this is a concern and they should know the concepts. This means that knowing a certain technology doesn't mean a candidate knows specific concepts. Does that mean people should go off and start learning all the underlying concepts and not focus on a specific thing? I don't think so, if everyone did that nothing would ever get done and we would be a bunch of philosophers :).

So, just remember next time you are evaluating someone or you think that person is "smart" do you believe that because they know a certain X or because they have proven that they understand an underlying concept. Because in the long-term knowing those underlying concepts or ideas will pay off in spades over knowing a certain X.

Related Links: here, here

Friday, February 08, 2008

Hackable Hacking Contest

One of my fellow teammates sent an email to an XSS(cross-site script) hacking contest site that was hackable.  If you don't know about XSS or need some practice it might be a fun site for you.  However, it was more fun to find the hack to beat the contest without really trying (yea I am lazy).  

I won't tell you the solution to the hack as that takes out some of the fun.  Check out the site if you want at http://xss-quiz.int21h.jp/.   

There is a moral to this. Know the audience you are creating a product for!  Be it software, chocolates, coffee, beer, t-shirts, reports, etc... 

Labels: ,

Tuesday, February 05, 2008

My first squidoo lens


I have created my first squidoo lens.  Any feedback is appreciated!  It can be found at http://www.squidoo.com/appsec