Validation of the Validators

Microsoft .net framework has rich libraries for validation aka .net validators which provides both client side and server side validation in a neat fasion. However, there are some serious security pitfalls. There are built in validators for known problems (e.g. required paramters, regex, ..etc) Also, the developer can create a custom validator which gives more power over the validation process, yet more complication.

This is a good article talking about various aspects of .net validation. Built in validators performs client side validation to enhace user experience and server side validation for security purposes. In custome validators, you have to write your own validation code for both server side and client side.

Although .net validators are very useful to increase the overall security posture of applications, the real problem is that developers take them for granted! Unfortunately, validators are not called all of the time. There are certain scenarios where the validation event is not raised.

For example, when calling Server.Transfere(), the destination page does not raise the validation event, hence, one can bypass validation all along in the second page. Also, validation is caused only when the validated control has the property "CausesValidation" set to true which is not the default value for all controls. Another issue rises if you consider custom controls which may be developed by "not very security aware" developers who forgot to set the valdiation flag.

Another fatal misconception is the timing for the validation event firing. The validation event is fired AFTER page_load event, so any logic in page_load is done prior to any validation. To force the validation event, "IsValid()" function has to be called on the concerned object before using it.

Bottom line, .net validators are very useful, but developers should not take them for granted. Validation events has to be manually checked to be functioning in all pages and manually triggered when needed .

Update 0x01: In addition to not being called all the time, .net validators filters are not perfect and can be evaded. Check this excellent paper on reverse engineering .net filters.

Update 0x02: In a discussion on a reputable application security list, it was suggested to add traps on server side validators to detect client side validation was bypassed; Hence a probable hacking attempt.

Bookmarklet Exploitation

A lot of websites now provide a Bookmark button which does actions directly. For example share onfacebook bookmarklet, read it later boomkarklet & share in google reader bookmarklet. This feature is very handy because you just visit any website, click on the bookmark and something get posted on your account!

Technical speaking, what happens is:
Assume that there's a bookmarklet button B which when clicked, the current page link is saved on my account for mylistOfURLs.com

1. User visits page x
   
2. User Presses B
3. What actually B contains is a javascript that will run as if the javascript was written in the location bar.
4. The javascript code under the B button actually sends the current location to mylistOfURLs.com to be saved there.
   

Am I the only paraniod person here? I see a major security threat. Isn't this just like a universal cross site scripting vulnerability? What if I can manage to change the code of the bookmark button to post the cookie to my website before posting the location to mylistOfURLs.com! Even better, what if I can lure the victim into adding my button which if clicked, all the info of the active page is sent to me. It's terrifying!

Also, there are privacy issues here. If mylistofURLs.com is not very trusted website, I might be afraid to click on their bookmarklet. What if they steal my cookie (conspiracy theory)? What if they steal my referer (for AD purposes)?

Anyway, My suggestion is: Never click on a bookmarklet on a page that has your personal information or that you're logged in to.

The Hacking Signal

"That's the signal that hacked our network." - Keller - Transformers I the movie.




In "Transformers" the movie, Decepticons used a "signal" to hack the military network. Being a security professional, at first sight given the current technologies that I know, I think that this is not something realistic, at the time being. Hacking nowadays is done on different levels including application, network, systems and even physical. Physical here denotes fooling people and physical locks. However, after a second thought, this movie illustrates (probably without knowledge) the possibility of hacking computers on the "electronic layer" if I may call it.

What I meant by Hacking on the electronic layer is dealing with the computer on the level of signals, volts, filters, conductivity; all of the very low level components that comprises the computer. This field is very recent (from the security point of view) and few people are researching into it. But my vision is that, in the future, electronic hacking is going to be a hot topic.

What if we can hack into motherboards, processors and network interface cards? Anyone involved in computing knows that the computer logic is based on zeros and ones. Currently we implement this logic using electricity. Mapping between computer logic and electronics is the main issue that concerns us now. There are mappings between voltage levels and Logic values. Since voltage levels are continuous and Logic levels are discrete, it's common to have voltage intervals (not values) that maps to Logic values. This leaves us with values on the boarder of the interval that are loosely defined. Usually when circuits operate on these threshold, output values are claimed to be "rubbish". If you ask a typical programmer, what would happen if someone tries to call a dangling pointer, what would be the output? A typical answer would be "rubbish". But for us, security professionals, a dangling pointer means a potential code execute vulnerability!. The point that I'm trying to make here is that if security experts examines this "rubbish" output from operating at threshold electronic values and tries to analyze, abuse and exploit it, this would definitely lead to something.

What about signal leakages? I remember a presentation back from Blackhat DC 2009 for "lcars" and "danbia" entitled "Sniffing Keystrokes With Lasers and Voltmeters". The presentation shed the light on two brilliant techniques for keystrokes sniffing. One of the ideas is based on the fact that PS2 keyboards operates at frequencies in the order of KHz which is very low compared to any other frequency the computer uses. Combined with unshielded cables, it's possible (and they proved it) to sniff the signal fluctuations from the power grid lines using a suitable filter from distances as far as 15 meters and infer the keystrokes from it.

Another idea was utilizing the sound vibrations of buttons during typing and sniffing it using a laser microphone. With appropriate filters and patterns, they proved that it is feasible to sniff and identify keystrokes.

Amazing! This is a very good start for electronic hacking. Yet, not a proactive approach. In the field of information security, usually hot topics rotate across layers. Remember back in the early times when Mitnick hacked by phone calls. Then, comes the era of network hacking when no firewalls were present. After that worm storms exploiting system vulnerabilities. Currently we're living the application nightmare, where SQL injection, cross site scripting, cross site request forgery and session hijacking make the news. Black Hat DC 2009 conference had some presentations that can be considered to be electronic hacking. I think that this trend is going to grow. Application vulnerabilities are not going to go away any time soon. But this, this is big. I think electronic hacking era is going to be overlapping with the application vulnerabilities resulting in a security nightmare!

SANSFIRE pen testing fun

I'm writing these lines from Baltimore MD, where SANSFIRE conference has taken place. I was taking the SEC 542 Web App pen testing class with Kevin Johnson from Inguardians.com and the founder of the SAMURAI web application pen testing environment. It's a great class with a lot of experience being transferred from Kevin who is an excellent experienced security consultant. Learning the whole methodology and process of pen testing is really worth it. I've been doing pen testing for a while now, but this is like defining a process to follow. A guideline similar to the waterfall model used in software development for example.
At the end of the class there is a capture the flags contest, where all the students compete in teams to hack a list of web servers and capture three flags. It was really fun popping those boxes. Me and my team won the 1st place capturing all the three flags in less than 3 hours. Also one of the bugs exploited that I found myself that Kevin himself was not aware of and when we told him about it he was like "OMG! I'm gonna kill ya! DID I DO THAT?!".

It was an excellent overall experience although I was looking forward to more technical information. The transfer of knowledge was excellent, the exercises were to the point and realistic. And the competition at the end really summed it all up where we went through a full test with all it's phases.

Chinese Cyber Botnet Army

I was shocked to hear that china is planning to deploy a software, Green Dam Youth Escort, which is supposed to filter out pornographic and improper content. Certain parties were concerned about freedom of the community to reveal their opinions in political issues. However, I'm more concerned about something else..

Imagine that the whole Chinese population has deployed this government software. We're talking about billions of computers here!. What if the government decided to send requests from this software to a certain network. It's like building a "gigantic official botnet"!! I'm sure that they thought about that. That can be very handy in case of cyber warefare. It's actually like a secret cyber weapon that utilizes all the computers in china.

Anyway, weather this is going to be used in the way described or not, I think that's a good idea but it should be implemented in a different way. In times of warefare, governments can call for volunteers, like cyber soldiers. These volunteers won't have to do anything except deploy a software on their computers that is connected securly to the government via the internet . And the government then can control this giant botnet and make it act in an organized coherent fashion. It's the same idea as laser, laser is just light that is highly coherent. Also having a choice to volunteer, gives a good impression; giving people who are not convinced to just not participate as part of the democratic system and at the same time allowing people who are convinced with the government's political actions to volunteer.

I'm just dropping off some ideas i had. They're not organized yet so I highly appreciate your opinions

Stupidity Can't Be Patched

Evil intended people can't get what they want most of the time if their victims where aware enough about the risk of what they are doing. clicking a link is way more dangerous that it looks.

Being a security professional, always talking about security, vulnerabilities, malicious websites, all this stuff made my family kind of aware about some of the risks involved with cyber-space. A couple of days ago, my little ten years old brother came along and asked me "Did you leave me an offline message with a link?" I was really proud of him! he does nothing on the computer except playing games and chatting. However, he didn't open the link because it had nothing proving that it's from me. Actually I am the one who sent him this link about the newly announced "Thief 4" game because I thought he'd be interested in the pictures!

Usually when i send a link to someone i add a couple of words that identifies me like "hey jimmy, remember out talk last night about thief 4, i found this, check it". James now is confident (to an extent) to click the link because i called him Jimmy (which i usually call him that) and I told him about something that we did last night (our talk about Thief 4). It depends of course on the link also. If the link says gamespot.com/blablabla then it makes sense. But if its atyk.123.msnet.com/index.php?james%20hotmail.com , that would definitely raise James' suspicion. But when I sent my brother the pic, I didn't think that he'd think like that. Seems that he's security skills are better than I thought! good for him.

Cybercrimes and Law

All what we have been talking about to prevent cybercrimes has nothing to do with the real criminals themselves!!. All this geeky technical stuff is good but cyber crimes are really very easy to commit! and very tempting!, because the punishment is not imminent. Usually, when cyber criminals are doing their attacks they have this feeling that they are safe, because they are sitting at home or at a cyber café physically way far from the "crime scene". Why is cybercrime numbers raging while physical crimes are coming to a settlement? The answer of this question cannot be answered directly. However, one can argue that usually cyber criminals do not have a visualization of what can happen to them if they were caught and usually they think that they will not get caught at all! We have to have more strict laws that define cyber crimes and its penalties. Some countries have some laws, others have few laws and others do not have laws concerning cybercrime at all! Even countries that have laws, do not spend much effort on tracking and hunting down criminals. Also trials of cyber crimes have to be more publicized. People have to know that playing around the cyberspace is not a game anymore and there are strict laws that are well applied.

The United States is taking good steps in that direction. We have John Schiefer, a botmaster, sentenced for four years prison and fined $20,000 and earlier in 2007. Also Microsoft has announced in February 2009 that it is offering a reward of $250,000 to anyone who can provide information that can help arrest the creator of the Conficker worm (i.e. the botmaster of the Conficker botnet). “Microsoft’s reward offer stems from the company’s recognition that the Conficker worm is a criminal attack,” a Microsoft statement said. This is actually a good start.However, this is not enough. The cyber world is so small that countries cannot be separated in cyber space. In order to teach the cyber criminals a lesson, we need this spirit to propagate to the Far East, Middle East and Russia as well and get well established through national and international laws.