‘Ardilla’ Automatically Roots Out SQL Injection And XSS, Generates Attacks

Researchers have built a tool that automatically finds and exploits SQL injection and cross-site scripting vulnerabilities in Web applications.

The so-called Ardilla tool uses a technique developed by the researchers — MIT’s Adam Kiezun, the University of Washington’s Michael Ernst, Stanford’s Philip Guo, and Syracuse University’s Karthick Jayaraman — that creates inputs that pinpoint bugs in Web applications and then generates SQL injection and XSS attacks. Ardilla is for PHP-based Web apps.

“Our technique creates real attack vectors, has few false positives, incurs no run-time overhead for the deployed application, works without requiring modification of application code, and handles dynamic programming-language constructs,” the researchers wrote in their paper (PDF).

The researchers say Ardilla found 68 never-before found vulnerabilities in five different PHP applications using the tool — 23 SQL injection and 45 XSS flaws.

“The technique generates sample inputs, symbolically tracks taints through execution (including through database accesses), and mutates the inputs to produce concrete exploits,” the researchers wrote. It also catches vulnerabilities to the more dangerous form of XSS, persistent XSS attacks. Persistent XSS is a more powerful XSS attack where malicious code is stored on a Website for a period of time, and all a user has to do is view the page to get infected.

Source:
http://www.darkreading.com/security/app-security/showArticle.jhtml?articleID=218100143

Posted in Coding, Internet, PHP, Security, Software | No Comments

Apache HTTP DoS Tool Released

Yesterday an interesting HTTP DoS tool has been released. The tool performs a Denial of Service attack on Apache (and some other, see below) servers by exhausting available connections. While there are a lot of DoS tools available today, this one is particularly interesting because it holds the connection open while sending incomplete HTTP requests to the server.

In this case, the server will open the connection and wait for the complete header to be received. However, the client (the DoS tool) will not send it and will instead keep sending bogus header lines which will keep the connection allocated.
The initial part of the HTTP request is completely legitimate:

GET / HTTP/1.1\r\n
Host: host\r\n
User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; Trident/4.0; .NET CLR 1.1.4322; .NET CLR 2.0.503l3; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; MSOffice 12)\r\n
Content-Length: 42\r\n

After sending this the client waits for certain time – notice that it is missing one CRLF to finish the header which is otherwise completely legitimate. The bogus header line the tools sends is currently:

X-a: b\r\n

Which obviously doesn’t mean anything to the server so it keeps waiting for the rest of the header to arrive. Of course, this all can be changed so if you plan to create IDS signatures keep that in mind.

According to the web site where the tool was posted, Apache 1.x and 2.x are affected as well as Squid, so the potential impact of this tool could be quite high considering that it doesn’t need to send a lot of traffic to exhaust available connections on a server (meaning, even a user on a slower line could possibly attack a fast server). Good news for Microsoft users is that IIS 6.0 or 7.0 are not affected.

Source:
http://isc.sans.org/diary.html?storyid=6601&rss

Tool:
http://ha.ckers.org/slowloris/

Posted in Internet, Linux, Security | No Comments

Wireshark 1.2 Released

Wireshark is the world’s foremost network protocol analyzer, and is the de facto (and often de jure) standard across many industries and educational institutions.

Wireshark 1.2.0 has been released. This is the new stable release branch of Wireshark and many new and exciting features have been added since 1.0 was released.

In this release:

• Wireshark has a spiffy new start page.
• Display filters now autocomplete.
• A 64-bit Windows (x64) installer is now provided.
• Support for the c-ares resolver library has been added. It has many advantages over ADNS.
• Many new protocol dissectors and capture file formats have been added.
• Macintosh OS X support has been improved.
• GeoIP database lookups.
• OpenStreetMap + GeoIP integration.
• Improved Postscript(R) print output.
• The preference handling code is now much smarter about changes.
• Support for Pcap-ng, the next-generation capture file format.
• Support for process information correlation via IPFIX.
• Column widths are now saved.
• The last used configuration profile is now saved.
• Protocol preferences are changeable from the packet details context menu.
• Support for IP packet comparison.
• Capinfos now shows the average packet rate.

Download:
http://www.wireshark.org/download.html

Posted in Internet, Networking, Security, Software | No Comments

Anonymous and Secure TorFox Browser

Torfox is a mash-up between Firefox and Tor. Ideally, we want to completely remove all direct communication between Firefox and the localhost. Instead, all address lookups are done through tor-resolve and all connections are made through tor socks server. Right now the project only works on Windows and relies on some rather ugly hacks at the source code level to achieve the current results which are, even in that light, quite useful.

Homepage and download:
http://torfox.org/

Posted in Internet, Privacy, Security, Software | No Comments

Computer Security Myth: Defeating Keyloggers With Onscreen Keyboards

I recently came upon a few articles that once again offered the computer security tip to use onscreen keyboards to defeat keyloggers. Most of these tips are suggesting to install an onscreen keyboard or make use of the default one of the operating system to defeat keyloggers while making transactions on the Internet or working with sensible data.

The theory that keyloggers can be defeated with onscreen keyboards is unfortunately a computer security myth. It is definitely true that some keyloggers, especially those that only record the keys that the user enters on the computer computer keyboard, can be defeated with onscreen keyboards.

There are however advanced keyloggers which make a screenshot of the onscreen keyboard while it visible on the computer screen and which record the mouse movements on the system. It is then a matter of simply reconstructing the mouse movement to know exactly what a user typed on a computer system.

There is only one 100% way of defeating keyloggers and that is to not use computer systems for sensitive information. That’s not always practicable and it is possible to reduce the chance that keyloggers are installed by running good antivirus programs.

Source:
http://www.ghacks.net/2009/06/15/computer-security-myth-defeating-keyloggers-with-onscreen-keyboards/

Posted in Hardware, Internet, Privacy, Security | No Comments