Friday, April 27, 2012

Bypassing .htaccess by using GETS

Hi folks, during these days I am traveling a lot for job, and unfortunately I don't have much time to write posts. Hovewer today I wanna share a really nice post about a classic problem affecting the HTTP basic authentication method in PHP applications. The post ( written by armoredcode ) is about a 2 years old bug described by Owasp in 2010 (here) , by cd34 (here) and by Eguaj (here, which btw, explained with lot of details). I'd like so much this post because is not about vulnerability (which is very known, even if very spread over websites) but is about the whole hacking process, from scratch. Pablo Perego wrote a very detailed process and very deep considerations that drive the reader to a full understanding of what the problem is. Following the images of the fundamental steps taken from armoredcode. First a HTTP request with empty body.

And then the request for the backed page.


Again a great place to start to look into the hacking reality and a good example of simple vulnerability exploiting process .

Following the main followed steps:

  1. fingerprint the operating system, the web server and the programming language version using netcraft He discovered a “/backend” directory looking into a javascript file he found in a browsable “/static” directory.
  2. Paolo crafted custom HTTP requests in order to bypass HTTP Basic Authentication that it was in place to avoid curious people to look into the backendI was able to make updates into the database…
Please refers to the original website to learn more about the "lessons learned" .

Saturday, April 21, 2012

EXE null EntryPoint execution

Hi folks, today while I was surfing on my personal feeds I hit this interesting picture ( the original from Twitter is here). I am not going into the details since the picture is quite self explaining (plus I am traveling and not much time, unfortunately )


The first binary is a DLL with a null EntryPoint, basically it won't load. The second binary is a a PE executable with null EntryPoint too. The third and last executable is a "good" PE executable, in the sense that it gots a valid EntryPoint . In the black shell the author shows the execution of the two PE files. Both of them run ( both of them end in the execution of the null reference DLL). The actual PE with null EntryPoint got its %EP executed. Quite interesting isn't it?



Tuesday, April 17, 2012

The Biggest App Sec Mistakes Companies Make

His folks, today I would share some thoughts about the "mistake that company often do on computer security" . Mu thoughts on that topic have been published on veracode website. Directly from veracode:

Veracode Marketing recently polled a list of InfoSec luminaries, asking them “What is the biggest mistake companies make with Application Security and how can they fix it?” We’re pleased to present the responses from a wide array of security experts including Bill Brenner of CSO Magazine, Andrew Hay of the 451 Group, Jack Daniel of Tenable Network Security and Veracode’s own, Chris Wysopal. While all our experts have their unique perspectives, some common themes arose including the basic idea of taking application security more seriously and committing to a programmatic approach vs. ad hoc manual testing. We want to thank all our respondents for participating and we welcome your thoughts too – use our comment area and tell us, “What do you think is the biggest appsec mistake companies are making today?”

Is your company actually doing these mistakes too? If you are interested in sharing opinions about that or you want your thoughts don't esitate to contact me.


Sunday, April 15, 2012

X86 detailed informations

Hi folks, today I share a nice x86 resource called sandpile. It wraps out all the most important things to know about x86 processors, a very nice place where to find all the information that you need. Before it, I used to search into many different resources loosing time and energies in content switching and in figuring out the many different searching functionalities belonged to various resources.

The website offer 4 maing groups of categories: regs, where you find all the registers related informations. Codes everything you would like to know about code, data and misc where bayou will find everything else you need about x86 architecture. Let's take a look to interrupt table:

Each information is sotored in a clear and intuitive table. I Totally suggest to have a bookmark within its reference. Good job !!


Wednesday, April 11, 2012

A Design Methodology for Computer Security Testing

Yes, finally the first edition of my new book is available online. The book collects 3 years of researches in the penetration testing security field. It does not describe underground or fancy techniques to attack systems, it is most focused on the state of the art in penetration testing methodologies. In other words, if you need to test a system, how do you do ? What is the first step ? What tools can be used ? Or again, what is the path to follow in order to find flaws ?The book shows many real world examples on how the described methodology has been used. For example: penetration testing on electronic voting machines, how malware did use the describe methodology to bypass common security mechanisms and attacks to reputation systems.

Contributions :

  1. Penetration Testing Methodologies Overview. 
  2. Penetration Testing Evaluation Properties.
  3. Proposed Penetration Testing Methodology.
  4. Enhanced Penetration Testing Methodology for E-Voting Systems. 
  5. Practical scenarios: Applying Penetration Testing Methodologies.
  6. Proposed Coordination-Based Approach to Electronic Voting Systems.
  7. Examples of Methodology in Real Cases.
Index (click on it to make it big):

Please if you want some information or if you have some suggestions about it, drop me an email I'll be happy to answer to your questions.

Monday, April 2, 2012


My folks used to work with Java code, for many different reasons we often prefer Java rather then other languages and knowing Java vulnerabilities, for sure, helps developers in doing their job. Blackhole is like most other malware, it spreads over iframe and it executes a downloaded payload. ESET Threat blog in this post explains its execution in a colloquial but pretty complete way, a good reading. But what is interesting about this malware (at least for me) is the brand new used vulnerability : CVE-2012-0507 . CVE-2012-0507 describes an interesting vulnerability found in the Java AtomicReferenceArray class implementation, which wasn’t checking properly whether the array was of an appropriate Object[] type. A malicious Java applet could use this flaw to bypass Java sandbox restrictions in order to execute malicious code outside of sandbox.
The blackhole infection starts with a classic iFrame like the following one:

The infection goes on following these steps ( image taken from here) :

David Harley did a great job in decompile the java code and in describing its workflow. Basically the java executable is built over 3 main functions:
  1. Init(). The malicious Java applet builds the object AtomicReferenceArray ( the vulnerable one) for the execution of malicious Java code outside the sandbox.
  2. Work(). This method builds the code of a class which executes outside the sandbox.
  3. DownloadAndExec(). This function downloads a malicious executable file to %TEMP%dsh89gyu.exe and executes it. Which happens to be a Win32/TrojanDownloader.Carberp.AH. In order to bypass detections by security software, the attackers changed the encryption algorithm and string obfuscation for the payload class executed outside the sandbox
Java malware are becoming day by day more and more spread over the net, on one hand because Java bugs are pretty common nowadays and on the other hand because java is "platform independent" by meaning that the attacker needs to write only one exploit overall and not one exploit for each attacked platform. I am very fascinating about java exploiting, and I totally think that CVE-2012-0507 is remarkable example to show while explaining java vulnerabilities and Blackhole a great example of java malware.