- The CERT Oracle Secure Coding Standard for Java by Fred Long, Dhruv Mohindra, Robert C. Seacord, Dean F. Sutherland, and David Svoboda
- A Bug Hunter’s Diary by Tobias Klein
- Android Security Cookbook by Keith Makan and Scott Alexander-Bown
- Android Malware and Analysis by Ken Dunham, Shane Hartman, Jose Andre Morales, Manu Quintans, and Tim Strazzere
- Android Security: Attacks and Defenses by Abhishek Dubey and Anmol Misra
- The Age of the Vikings by Anders Winroth
- The Manual by The KLF
- Count Zero by William Gibson
- Mona Lisa Overdrive by William Gibson
- Meditations by Marcus Aurelius
- The Morning of the Magicians by Louis Pauwels and Jacques Bergier
Sunday, December 31, 2017
Reading List - 2017
Books
Sunday, July 23, 2017
True Tales of XSS: Function Hoisting
A simplified version of the code:
But it's there.
To gain execution, we'll need to make sure func() is defined. We'll use a JavaScript feature called function hoisting. Hoisting allows a function to be defined after it's been used. The JavaScript interpreter will look ahead for an appropriate function definition and "hoist" it up in the code, so the function call can execute correctly.
We'll use the following payload:
Now the func() function is defined and will execute with our injected payload. You read a bit more about hoisting here and here.
Stay beautiful, XSS Rangers.
<script>Overview: user-supplied $input is echoed into a JavaScript context after having HTML entities encoded. The func() JavaScript function is undefined, causing an exception and halting execution before any injected payload can be executed. We can't inject additional script tags due to the HTML encoding, so an XSS vector isn't immediately apparent.
func().val('<?php echo htmlspecialchars($input, ENT_COMPAT, 'UTF-8'); ?>');
</script>
But it's there.
To gain execution, we'll need to make sure func() is defined. We'll use a JavaScript feature called function hoisting. Hoisting allows a function to be defined after it's been used. The JavaScript interpreter will look ahead for an appropriate function definition and "hoist" it up in the code, so the function call can execute correctly.
We'll use the following payload:
'); function func() {payload}; //In this payload, we'll finish the val() call, supplying an empty string. Next, we'll provide a definition of func() for the interpreter to hoist. We can insert our payload into func()'s definition and let the original call execute it. Lastly, we'll comment out the trailing "');" that's been left over from the original code.
Now the func() function is defined and will execute with our injected payload. You read a bit more about hoisting here and here.
Stay beautiful, XSS Rangers.
Friday, April 21, 2017
Reading List - 2016
Books
Web Application Hacker's Handbook deserves a special mention, as I'd used it as a reference but never gave it the attention it deserves. Although it's a bit older, it's still a solid introduction to web application testing, and does a good job of balancing breath and depth. Especially recommended for developers looking to learn more about webapp security and methodologies.
- Metasploit: The Penetration Tester's Guide by David Kennedy, Jim O'Gorman, Devon Kearns, and Mati Aharoni
- Web Application Hacker's Handbook by Dafydd Stuttard and Marcus Pinto
- Neuromancer by William Gibson
- Prost!: The Story of German Beer by Horst D. Dornbusch
- The Complete Guide to Making Mead by Steve Piatz
- Passport to Magonia: From Folklore to Flying Saucers by Jacques Vallee
- Quantum Psychology: How Brain Software Programs You by Robert Anton Wilson
- Waking Up to the Dark: Ancient Wisdom for a Sleepless Age by Clark Strand
- The Magical Revival by Kenneth Grant
- Little Essays Toward Truth by Aleister Crowley
Web Application Hacker's Handbook deserves a special mention, as I'd used it as a reference but never gave it the attention it deserves. Although it's a bit older, it's still a solid introduction to web application testing, and does a good job of balancing breath and depth. Especially recommended for developers looking to learn more about webapp security and methodologies.
Saturday, March 25, 2017
True Tales of XSS: jQuery's text() Function
A simplified version of the code:
Overview: user-supplied $input is echoed after having HTML entities encoded. Next, it's read by jQuery's text(), some decorative tags are added, and written back with html(). Although there's usually little reason to do this in jQuery, it doesn't appear to be vulnerable to XSS.
And yet, it is.
1. We feed a standard XSS test to $input:
So, keep an eye out for the next time you see text() handling user input, XSS Rangers.
<div id="foo">
<?php echo htmlspecialchars($input, ENT_QUOTES, 'UTF-8'); ?>
</div>
<script>
var bar = $('#foo').text();
$('#foo').html('<b>' + bar + '</b>');
</script>
Overview: user-supplied $input is echoed after having HTML entities encoded. Next, it's read by jQuery's text(), some decorative tags are added, and written back with html(). Although there's usually little reason to do this in jQuery, it doesn't appear to be vulnerable to XSS.
And yet, it is.
1. We feed a standard XSS test to $input:
<script>alert(1);</script>2. The $input is encoded with htmlspecialchars(), effectively preventing our XSS from functioning:
<script>alert(1);</script>3. Our encoded $input is read by jQuery's text() method, which should remove tags and only return the text contents of HTML elements. So, at this point, we could assume our $input would still be:
<script>alert(1);</script>Or, if it also removes encoded tags, possibly:
alert(1);However, text() actually decodes HTML entities and will happily return valid HTML, restoring our $input to its original state:
<script>alert(1);</script>4. Decorative formatting tags are added to the $input:
<b><script>alert(1);</script></b>5. The $input is written back to the page with html(), which will also execute our script tag and launch our test payload.
So, keep an eye out for the next time you see text() handling user input, XSS Rangers.
Sunday, January 29, 2017
Flora and Neopixel Ring Quickstart Guide
To celebrate Micro Center carrying Adafruit products, I picked up a Flora V3 and a NeoPixel Ring. Here's a quick guide for making the Flora light that Ring up.
Note: you'll need a micro-B USB cable and some wires. Most of this guide should also work for the NeoPixel strips but your wiring will differ a bit.
Get the Arduino IDE
If you don't already have it, get the Arduino IDE. Download the most recent version of the IDE from the Arduino website and follow the installation instructions (links: Linux, Windows, Mac).
Add Flora Support
Follow the steps to add the Adafruit Board Support package, which will let us use the Flora. Then follow Adafruit's OS-specific instructions (links: Linux, Windows, Mac).
I used IDE version 1.8.1 on Ubuntu 16.04 LTS. As mentioned in the Linux instructions linked above, I also had to add udev rules to make everything jive.
Add NeoPixel Support
Next, you'll need to add the Adafruit NeoPixel library. This will let us use the Flora's on-board NeoPixel as well as the Ring. The easiest way is via the IDE's Library Manager.
You can do this by navigating to "Sketch," then "Include Library," then "Manage Libraries." Search for "neopixel" and install the "Adafruit NeoPixel" library.
Verify Your Setup Works
Verify your Flora + NeoPixel setup by blinking the Flora's onboard NeoPixel.
Save the linked demo code in your current sketch. Under the "Tools" menu, ensure "Board" is set to "Adafruit Flora" and the correct "Port" is selected (mine was /dev/ttyACM0).
Under the "Sketch" menu, select "Verify/Compile," which should complete without errors. Then select "Upload" to push the code to your Flora.
Once it finishes, your Flora should put on a small light show.
Wire Up Your Ring
Now we're ready to wire the Ring to the Flora. I'm lazy, so I used alligator clips. If you're going to go this route, you'll probably want to solder small leads onto the Ring, as it can be a bit difficult to get a solid connection with the clips.
You'll want to connect the Flora's "3.3V" to the Ring's "PWR," the Flora's "GND" to the Ring's "GND," and the Flora's "#9" to the Ring's "IN."
Light Up The Ring
Now we can modify the demo code to use the Ring. We'll need to tell it that we have more LEDs and we're now using the #9 pin. Change the PIN constant from 8 to 9. Change the first parameter of "Adafruit_NeoPixel" from 1 to 12 (or however many LEDs your Ring contains). That's it.
That Was Too Easy
Check out the NeoPixel library reference.
Here's some neat projects that use these things. Check out their code to get more ideas:
Note: you'll need a micro-B USB cable and some wires. Most of this guide should also work for the NeoPixel strips but your wiring will differ a bit.
Get the Arduino IDE
If you don't already have it, get the Arduino IDE. Download the most recent version of the IDE from the Arduino website and follow the installation instructions (links: Linux, Windows, Mac).
Add Flora Support
Follow the steps to add the Adafruit Board Support package, which will let us use the Flora. Then follow Adafruit's OS-specific instructions (links: Linux, Windows, Mac).
I used IDE version 1.8.1 on Ubuntu 16.04 LTS. As mentioned in the Linux instructions linked above, I also had to add udev rules to make everything jive.
Add NeoPixel Support
Next, you'll need to add the Adafruit NeoPixel library. This will let us use the Flora's on-board NeoPixel as well as the Ring. The easiest way is via the IDE's Library Manager.
You can do this by navigating to "Sketch," then "Include Library," then "Manage Libraries." Search for "neopixel" and install the "Adafruit NeoPixel" library.
Verify Your Setup Works
Verify your Flora + NeoPixel setup by blinking the Flora's onboard NeoPixel.
Save the linked demo code in your current sketch. Under the "Tools" menu, ensure "Board" is set to "Adafruit Flora" and the correct "Port" is selected (mine was /dev/ttyACM0).
Under the "Sketch" menu, select "Verify/Compile," which should complete without errors. Then select "Upload" to push the code to your Flora.
Once it finishes, your Flora should put on a small light show.
Wire Up Your Ring
Now we're ready to wire the Ring to the Flora. I'm lazy, so I used alligator clips. If you're going to go this route, you'll probably want to solder small leads onto the Ring, as it can be a bit difficult to get a solid connection with the clips.
You'll want to connect the Flora's "3.3V" to the Ring's "PWR," the Flora's "GND" to the Ring's "GND," and the Flora's "#9" to the Ring's "IN."
Light Up The Ring
Now we can modify the demo code to use the Ring. We'll need to tell it that we have more LEDs and we're now using the #9 pin. Change the PIN constant from 8 to 9. Change the first parameter of "Adafruit_NeoPixel" from 1 to 12 (or however many LEDs your Ring contains). That's it.
#include <Adafruit_NeoPixel.h>As before, "Verify/Compile" then "Upload." The light show should be a bit better now.
#define PIN 9
Adafruit_NeoPixel strip = Adafruit_NeoPixel(12, PIN, NEO_GRB + NEO_KHZ800);
That Was Too Easy
Check out the NeoPixel library reference.
Here's some neat projects that use these things. Check out their code to get more ideas:
Subscribe to:
Posts (Atom)