DISC InfoSec blogWeb Security Archives | Page 2 of 6

Mar 06 2023

Browser Security report reveals major online security threats

Category: Information Security,Web Security — DISC @ 12:27 pm

LayerX has published its annual browser security report in which the company highlights the most prominent browser security risks of 2022. The report includes predictions and recommendations for 2023 as well.

The report focuses on Enterprise environments, but several of its key takeaways apply to small business and home environments as well. The browser security threats of 2022 make up the largest part of the document, but users find predictions, recommendations and an interesting monthly overview of major security events in the report as well.

The nine major threats that LayerX identified in 2022 were the following ones:

Phishing attacks via high reputation domains.
Malware distribution via file sharing systems.
Data leakage through personal browser profiles.
Outdated browsers.
Vulnerable passwords.
Unmanaged devices.
High-risk extensions.
Shadow SaaS.
MFA bypass with AiTM attacks.

Some of these are quite clear, others may require explanation. For phishing attacks, the researchers discovered that threat actors are hosting phishing URLs on legitimate SaaS platforms at an alarming rate. The rate of phishing attacks that use these legitimate platforms has increased by 1100% when compared to 2021, according to a Palo Alto Networks study.

LayerX conducted tests on how well browsers and network security tools protected against 1-day phishing sites. According to the test, the best performing browser had a catch rate of just 36%. Network security software blocked 48% of threats.

Similarly, malware is distributed via sanctioned services such as Google Drive and Microsoft OneDrive, to overcome blocks that may be in place for lesser known services and sites.

An analysis of data leakage in browsers concluded that 29% of users connected work browsers to personal profiles, and that 5.8% of identities were exposed in data breaches.

Outdated browsers are another threat to security, according to LayerX’s report. Ana analysis of 500 Chrome browsers revealed that a good number was either critically outdated or vulnerable to 1-day attacks.

Weak passwords and the reuse of passwords continue to be major issues. According to LayerX’s report, 29% of users use weak or medium strength passwords, and 11% of users reuse passwords regularly. The company noticed that 29% browser profiles were personal and set to sync.

Web browser extensions are another attack vector, as they “can grant excessive permissions once installed”. A recent Incogni study found that almost half of the analysed browser extensions posted either a high security or privacy risk.

The report includes an overview of browser security highlights of the year 2022. It is an interesting account that lists major security events in 2022. Some of these involved attacks, like the January 2022 video player attack that stole credit card information from over a hundred sites. Others highlight security advances, like the passwordless logins announcement by major tech companies in May, or the end of Internet Explorer in June.

The report ends with four predictions and recommendations. Predictions include that browsers will become “the main attack surface”, that attacks will “be increasingly SaaS-based and less file-based”, and that malicious web pages “will become more sophisticated”.

Closing Words

The report offers insights on the browser threat landscape of 2022, and how threats will evolve in 2023 and beyond. While most of it is aimed at Enterprise and large business environments, it may still be of interest to home users and small businesses alike.

The recommendations focus on SaaS and Enterprise-grade protections, but all users may use the listed threats to improve security. For example, outdated browsers may be updated more frequently, and weak or reused passwords may be replaced with unique strong passwords.

The report is available for download here, but a short form needs to be filled out before the download link is made available.

Source:

https://www.ghacks.net/2023/03/05/browser-security-report-reveals-major-online-security-threats/

Previous posts on Web Security

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Web App Security

Tags: browser security

Comments (0)

Feb 16 2023

How to Find Web Server Vulnerabilities With Nikto Scanner

Category: Security Tools,Web Security — DISC @ 10:55 am

How to Find Web Server Vulnerabilities With Nikto Scanner

Find Web Server Vulnerabilities with Nikto Scanner.

Nikto is an open source web server vulnerabilities scanner, written in Perl languages. It function is to scan your web server for vulnerabilities.

Nikto scan for over 6700 items to detect misconfiguration, risky files, etc. and some of the features include:

You can save report in HTML, XML, CSV
It supports SSL and Full HTTP Proxy
Scan multiple ports on the server
Find subdomain
Apache user enumeration
Checks for outdated components
Detect parking sites
Server and software misconfigurations
Default files and programs
Insecure files and programs
Outdated servers and programs

Lets get started with the installation and how to use this tool

This can be installed on Kali Linux or other OS (Windows, Mac OSX, Redhat, Debian, Ubuntu, BackTrack, CentOS, etc.), which support Perl.

Also Read- Kali Linux Commands Cheatsheet

In this article, I will explain how to use Nikto on Kali Linux .

Firstly we will install the Nikto tool from Github or Using apt install command on terminal.

Using help manual of Nikto we can see various options or parameters on how we can use this tool very efficiently.

Firstly we will use the basic syntax to check the vulnerability of the website.

However, Nikto is capable of doing a scan that can go after SSL and port 443, the port that HTTPS websites use (HTTP uses port 80 by default). So we’re not just limited to scanning old sites, we can do vulnerability assessments on sites that use SSL, which is pretty much a requirement these days to be indexed in search results.

If we know it’s an SSL site that we’re targeting, we can specify it in Nikto to save some time on the scan by adding -ssl to the end of the command.

So by using this tool we can analyze the vulnerability of the website.

Previous posts on Security Tools

InfoSec Threats | InfoSec books | InfoSec tools | InfoSec services

Tags: Nikto Scanner

Comments (0)

Jan 21 2023

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Category: Dark Web,Web Security — DISC @ 9:41 am

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

is this website safe ? In this digital world, Check website safety is most important concern since there are countless malicious websites available everywhere over the Internet, it is very difficult to find a trustworthy website. We need tobrowse smart and need to make sure the site is not dangerous by using Multiple approaches.

In general, it is good to type the website URL instead of copy-paste or clicking an URL. Also, check to see the website working with HTTP OR HTTPS.

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Investigating: is this website safe

In order to find, is this website safe , we need to figure it out if the URL received from an unknown source and we would recommend cross-checking the URL before clicking on it. Copy the URL to analyzers that available over the Internet and ensure it’s Integrity.

If it is a shortened URL you can unshorten itwith the siteand then analyze the actual URL.

Methods to analyze Websites

To check website safety, the first and the most recommended method is to check online page scanners, which uses the latest fingerprinting technology to show web applications are up to date or infected by malware.

Like this number of scanners available

Website reputation check needs to be done to find the trustworthiness of website with WOT .

Ensure SSL is there before making a purchase

In order to check website safety, Ensure the website availability with https before entering the payment card details. We can audit the HTTPS availability with the SSL analyzer URL’s available over the internet.

Also, there is a range of certificates available over the Internet from low assured (domain validation) to the Most trusted Extended validation certificates, you can refer the URL for more details.

Moreover, we can verify their prompt installation with various popular checkers available

Google Safe Browsing: is this website safe

According to Google, in order to check, is this website Safe, Browsing is a service that Google’s security team built to identify unsafe websites across the web and notify users and webmasters of potential harm.

In this Transparency Report, Google discloses details about the threats we detect and the warnings we show to users.

We share this information to increase awareness about unsafe websites, and we hope to encourage progress toward a safer and more secure web.

Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.

Check the Browsing Website have Any unsafe Content or not – Google Safe Browsing

To Report Malicious websites

Please report the dangerous URL to the services mentioned below. They are arranged in categories which should make it relatively easy to decide which services you should report the site to.

Services which blacklist Dangerous sites

Check the Blacklist IP Address

There are some awesome tools to Check the website IP Address has been listed in the Global Blacklist Database.

Multirblis a free multiple DNSBL (DNS BlackList aka RBL) lookup and FCrDNS (Forward Confirmed reverse DNS aka iprev) check tool to confirm, is this website Safe.

Check the Website Safety & Reputation

analyzes a website through multiple blacklist engines and online reputation tools to facilitate the detection of fraudulent and malicious websites. This service helps you identify websites involved in malware incidents, fraudulent activities, and phishing websites.

Important tools for Check the Website Reputation and confirm is this website Safe

Conclusion

Cyber criminals are using various sophisticated techniques to fool online users to drop malware and other cyber threats to cause unbearable damages. so beware of the malicious website, don’t blindly open the website and check the website safety before open it.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Checkout our previous posts on Web Security

InfoSec books | InfoSec tools | InfoSec services

Tags: Website Safety

Comments (0)

Jan 17 2023

Car companies massively exposed to web vulnerabilities

Category: Security vulnerabilities,Web Security — DISC @ 11:51 am

From a detailed report – compiled by security researcher Sam Curry – the findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem. https://lnkd.in/gdAXGjaN

The web applications and APIs of major car manufacturers, telematics (vehicle tracking and logging technology) vendors, and fleet operators were riddled with security holes, security researchers warn.

In a detailed report, security researcher Sam Curry laid out vulnerabilities that run the gamut from information theft to account takeover, remote code execution (RCE), and even hijacking physical commands such as starting and stopping the engines of cars. The findings are an alarming indication that in its haste to roll out digital and online features, the automotive industry is doing a sloppy job of securing its online ecosystem.

From web portals to car locks

Around six months ago, Curry and a few friends stumbled on a vulnerability in the mobile app of a scouter fleet at the University of Maryland, which caused the horns and headlights on all the scooters in the campus to turn on and stay on for 15 minutes. Curry subsequently became interested in doing further investigation along with researchers Neiko Rivera, Brett Buerhaus, Maik Robert, Ian Carroll, Justin Rhinehart, and Shubham Shah.

“We thought it’d be awesome to dump a ton of time into hacking different car companies to see how many ‘horns we could honk’, but it quickly turned into hacking telematics infrastructure and things outside of the telematics APIs,” Curry told The Daily Swig.

The researchers’ findings, detailed on Curry’s blog, highlight an alarming number of critical vulnerabilities across different systems. For example, a poorly configured API endpoint for generating one-time passwords for the web portals of BMW and Rolls Royce potentially enabled attackers to take over the accounts of any employee and contractor, thereby gaining access to sensitive customer and vehicle information.

A misconfiguration in the Mercedes-Benz single sign-on (SSO) system enabled the researchers to gain access to several internal company assets, including private GitHub repositories and internal communication tools. Attackers could pose as employees, allowing them to access sensitive information, send commands to customer vehicles, perform RCE attacks, and use social engineering to escalate their privileges across the Mercedes-Benz infrastructure.

Elsewhere a vulnerability in Kia’s web portal for dealers could have allowed attackers to create a fake session, register an account, associate it with any arbitrary vehicle VIN number, and gain access to lock, unlock, and remote start/stop mechanisms, as well as vehicle locations and vehicle camera feeds.

A poorly implemented SSO functionality in Ferrari’s web applications allowed the researchers to gain unrestricted access to the JavaScript code of several internal applications. The source code contained internal API keys and usage patterns, allowing potential attackers to create and modify users or (worse yet) give themselves super-user permissions. The vulnerabilities effectively allowed attackers to take ownership of Ferrari cars.

Other vulnerabilities granted full remote control over the locks, engine, horn, headlights, and trunk of Hyundai and Genesis vehicles made after 2012. The researchers were also able to obtain full remote access to Honda, Nissan, Infiniti, and Acura vehicles.

Dangerous bug in telematics portal

Curry and his colleagues found a SQL injection vulnerability in the admin portal of Spireon, the parent company of several car telematics and fleet management vendors that collectively service 15 million vehicles. Curry described this as their “most alarming finding” because the vulnerability allowed them to gain administrator access to the company’s platform.

“Using our access, we could access all user accounts, devices (vehicles), and fleets,” he said. “Some of the fleets on the website included ambulances, police cruisers, and large trucks. Using the Spireon access, we could send fully arbitrary commands and update device configurations.”

The researchers found they were able to lock starters, unlock vehicles, track vehicles, and send rogue dispatch addresses to vehicles like police cars and ambulances. The researchers further suspect the security shortcomings made it possible to install backdoors and run arbitrary commands on Spireon devices.

Half-baked

“There were some car companies where you’d own one, then copy the exact same methodology to another car company and get in with the same vulnerability,” Curry said.

The researchers found that some flaws existed across the platforms of several companies, including tons of exposed actuators (vehicle component control), debug endpoints, and administrative functionality for managing vehicles, purchase contracts, and telematic devices.

“From what it seems, car companies really rushed to install these devices,” Curry said. “Currently, these installations mostly have limited functionality so you can only do things like track, unlock, and start the vehicle, but with companies like Tesla and Rivian building more connected vehicles which can actually be controlled remotely, I’m worried that market pressure will force these companies to build half-baked solutions which are open to attack.”

Checkout our latest posts on API security…

Contact DISC InfoSec

InfoSec books | InfoSec tools | InfoSec services

Tags: Car Security

Comments (0)

Jan 13 2023

Credential Stealing Flaw in Google Chrome Impacted 2.5 Billion Users

Category: Web Security — DISC @ 10:01 am

Credential Stealing Flaw in Google Chrome Impacted 2.5 Billion Users

The vulnerability (CVE-2022-3656), allowed remote attackers to steal sensitive user data like cloud service provider credentials and crypto wallet details.

The cyber security researchers at Imperva Red Team have shared details of a recently discovered and patched vulnerability that impacted over 2.5 billion Google Chrome users and all Chromium-based browsers, including Opera and Edge.

Vulnerability Details

The vulnerability is tracked as CVE-2022-3656, allowing remote attackers to steal sensitive user data like cloud service provider credentials and crypto wallet details. Further probe revealed that the issue emerged due to how the Chrome browser interacted with symlinks while processing directories and files.

As per Imperva’s researcher Ron Masas, the browser didn’t check whether the symlink pointed to a location that wasn’t accessible, encouraging the stealing of sensitive files. Google characterized it as a medium-severity vulnerability caused due to inadequate data validation in File System. The company released a fix in the Chromium versions 107 and 108 released in Oct and Nov 2022, respectively.

What is SymStealer?

In their report, Imperva researchers named the flaw SymStealer. The issue occurs when the attacker exploits the File System to evade program restrictions and access unauthorized files. Imperva’s analysis revealed that when a user drags and drops a folder directly onto a file input element, the browser recursively resolves all symlinks without displaying a warning.

For your information, a symlink is also called a symbolic link. It is a file that points to a directory or file and lets the OS treat it as if it was stored at the symlink’s location. Usually, this feature helps users in creating shortcuts, file organisation, and redirect file paths.

But Imperva’s research revealed that this feature could be exploited to introduce vulnerabilities such as this one that emerged due to how browsers interacted with symlinks for file/directories processing. This issue is also called symbolic link following.

Attack Scenario

Through this weakness, the attacker can trick a victim into accessing a compromised website and download a ZIP archive file that contains the symlink to a valuable folder or file present on the device e.g. wallet keys. When this file is uploaded back to this site as an infection chain component like a crypto wallet service, the user is prompted to upload their recovery keys.

The attacker can now traverse the symbolic link and access the original file storing the key phrase. Imperva researchers devised a proof-of-concept using CSS trickery to modify the file input element’s size so that the file uploads regardless of where the folder drops on the page and information is stolen successfully.

It is important to always keep your software up to date in order to protect against the latest vulnerabilities and ensure that your personal and financial information remains secure.
Imperva

Information Assurance Directorate: Deploying and Securitign Google Chrome in a Windows Enterprise

Tags: Credential Stealing Flaw, Google Chrome

Comments (0)

Dec 23 2022

WEB APPLICATION PENTESTING CHECKLIST

Category: App Security,Pen Test,Web Security — DISC @ 11:37 am

This image has an empty alt attribute; its file name is image-20.png

Web Pentesting Checklist Cyber Security News

WEB-APPLICATION-PENTESTING-Checklist-1 Download

PenTesting Titles

Penetration Testing: Protecting Networks and Systems

Pentesting Training

Penetration Testing – Exploitation

Penetration Testing – Post Exploitation

Infosec books | InfoSec tools | InfoSec services

Tags: WEB APPLICATION PENTESTING CHECKLIST

Comments (0)

Dec 19 2022

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

Category: App Security,Cyber Threats,Web Security — DISC @ 10:58 am

Is this website Safe : How to Check Website Safety to Avoid Cyber Threats Online

In general, it is good to type the website URL instead of copy-paste or clicking an URL. Also, check to see the website working with HTTP OR HTTPS.

Investigating: is this website safe

If it is a shortened URL you can unshorten itwith the siteand then analyze the actual URL.

Methods to analyze Websites

Like this number of scanners available

Website reputation check needs to be done to find the trustworthiness of website with WOT .

Ensure SSL is there before making a purchase

Moreover, we can verify their prompt installation with various popular checkers available

Google Safe Browsing: is this website safe

In this Transparency Report, Google discloses details about the threats we detect and the warnings we show to users.

We share this information to increase awareness about unsafe websites, and we hope to encourage progress toward a safer and more secure web.

Safe Browsing also notifies webmasters when their websites are compromised by malicious actors and helps them diagnose and resolve the problem so that their visitors stay safer.

Safe Browsing protections work across Google products and power safer browsing experiences across the Internet.

Check the Browsing Website have Any unsafe Content or not – Google Safe Browsing

To Report Malicious websites

Please report the dangerous URL to the services mentioned below. They are arranged in categories which should make it relatively easy to decide which services you should report the site to.

Services which blacklist Dangerous sites

Check the Blacklist IP Address

There are some awesome tools to Check the website IP Address has been listed in the Global Blacklist Database.

Multirblis a free multiple DNSBL (DNS BlackList aka RBL) lookup and FCrDNS (Forward Confirmed reverse DNS aka iprev) check tool to confirm, is this website Safe.

Check the Website Safety & Reputation

Important tools for Check the Website Reputation and confirm is this website Safe

Conclusion

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Security Analysis with search engines:

Tags: #Pentesters, Security Analysis, Web Application Security, Website Safety

Comments (0)

Nov 10 2022

Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code

Category: Malware,Web Security — DISC @ 11:38 am

Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code

Researchers at Zimperium zLabs recently identified a new Chrome browser botnet called ‘Cloud9’ that is intent on stealing the following information using malicious extensions:-

Online accounts credentials
Log keystrokes
Inject ads
Inject malicious JS code
Enroll the victim’s browser in DDoS attacks

This method is becoming increasingly attractive for malware developers to target web browsers as they contain the most valuable information about a user.

In the course of everyday activities, we can find out a lot about ourselves through our keystrokes or session cookies. A breach of security or a violation of privacy can be caused by having access to such information.

Cloud9 botnet is a RAT that affects all Chromium-based web browsers, which are popular among consumers like Chrome and Microsoft Edge. Moreover, threat actors could exploit this RAT to remotely execute arbitrary commands.

Technical Analysis

The official Chrome web store doesn’t host this malicious Chrome extension, so it cannot be downloaded from there.

The distribution channel of this malware relies on communities that are operated by threat actors, wherein the malware will be hidden by users of the tool before it gets delivered to the victims by the tool itself.

In terms of the Javascript files that make up the extension, there are only three. While the primary functionality of the extension can be located in a file called “campaign.js” which contains most of its functionality.

According to the report, During the initialization of campaign.js, the window.navigator API is used to identify the system’s operating system. Once the target has been identified, a Javascript file is injected into the victim’s computer system as a method to mine cryptocurrency using the resources of the victim’s computer system.

Next, for further proceedings, it injects another script known as cthulhu.js which comprises a full-chain exploit for the following flaws:-

CVE-2019-11708 (Firefox)
CVE-2019-9810 (Firefox)
CVE-2014-6332 (Internet Explorer)
CVE-2016-0189 (Internet Explorer)
CVE-2016-7200 (Edge)

As soon as the vulnerabilities are exploited, Windows malware is automatically installed on the host machine and executed. This gives attackers even more opportunities to compromise systems and carry out even more severe malware attacks.

While one of the sophisticated inclusion of this malware is “Clipper,” a module that keeps scanning the clipboard of the system for copied data like:-

Passwords
Credit cards details

In addition to injecting ads into webpages silently, Cloud9 is also capable of generating revenue for its operators by generating ad impressions.

Cloud9 Botnet Functionalities

<strong>Malicious Chrome Plugin Let Remote Attacker Steal keystroke and Inject Malicious Code</strong>

Tags: Malicious Chrome Plugin

Comments (0)

Nov 08 2022

Researchers Found Website Scanner “Urlscan.io” Leaking Sensitive Private Data

Category: Web Security — DISC @ 11:50 am

Researchers Found Website Scanner “Urlscan.io” Leaking Sensitive Private Data

Researchers from Positive Security uncovered a website scanner called “Urlscan” that unintentionally leaking sensitive URLs and data due to misconfiguration.

It appears that a third party accidentally leaked the GitHub Pages URLs, and this incident happened while a metadata analysis was being conducted.

“This information could be used by spammers to collect email addresses and other personal information,” Bräunlein, Co Founder Positive security said. “It could be used by cyber criminals to take over accounts and run believable phishing campaigns.”

The URLscan.io service is described as a sandbox for the web and has been referred to as a web scanner. Several security solutions integrate with its API in order to make their solutions more secure and feature-rich.

The idea behind it is to allow users to identify possible malicious websites with ease and confidence using a simple, straightforward tool. A wide range of open-source projects and enterprise customers are supported by the engine.

Sensitive data can be mined

It was discovered that users who enabled Github Pages as a hosting method for a private repository leaked the name of the repository. There does not seem to have been any public official acknowledgment of this breach as of yet.

There is a possibility that an anonymous user could easily search for and retrieve a vast amount and variety of sensitive data within the API integration.

This is because the API is equipped with several varieties of security tools that run scans on incoming emails and conduct Urlscans on every link that is received.

Several types of information are provided with each scan result that is returned by the service, including:-

Password reset links
Unsubscribe links
Account creation URLs
API keys
Information about Telegram bots
DocuSign signing requests
Amazon gift delivery links
Shared Google Drive links
Dropbox file transfers
Invite links to SharePoint
Invite links to Discord
Government Zoom invites
PayPal invoices
Paypal money claim requests
Links to Cisco Webex meeting recordings
Package tracking links

It has been noted that some API integrations use generic Python requests that use the python-requests/2.X.Y module. This would lead to scans being mistakenly submitted as public if user agents ignored account visibility settings.

Integrations

A list of 26 commercial security solutions have integrated urlscan.io’s API and the security solutions include are:-

Tags: Website Scanner

Comments (0)

Oct 04 2022

Chrome 106 Released – Google Fixed 20 Security Bugs – Update Now!

Category: Web Security — DISC @ 1:54 pm

Chrome 106 Released – Google Fixed 20 Security Bugs – Update Now!

The Chrome web browser was recently updated to a new stable version released by Google. Google Chrome’s updated version Chrome 106 offers a number of brand-new features and improvements, and it also includes a number of security updates.

The new version of Chrome 106 has been already released by Google to the stable channel for all the major platforms:-

Windows (Chrome 106.0.5249.61/62)
Mac (Chrome 106.0.5249.61)
Linux (Chrome 106.0.5249.61)

In the course of hours, days, or even weeks, the update will be rolled out to all devices throughout the world in phases.

Security fixes

This update contains 20 security fixes that have been applied to Chrome 106 Stable so far. As usual, the official release notes only include a list of security issues that were reported externally to the developers.

There are different levels of security ratings, the highest being high. There have been at least five security issues that have been publicly disclosed. These five flaws were rated as high, while the remaining have been rated between medium and low.

Here below we have mentioned those five high severity security vulnerabilities:-

CVE-2022-3304: Use after free in CSS.
CVE-2022-3201: Insufficient validation of untrusted input in Developer Tools.
CVE-2022-3305: Use after free in Survey.
CVE-2022-3306: Use after free in Survey.
CVE-2022-3307: Use after free in Media.

There seem to be no exploits in the wild that take advantage of any of the issues. The release notes for this version do not mention anything about that.

Update Now

To speed up the installation of the Chrome 106 update, Chrome users can load the following URL in the address bar of the browser:-

chrome://settings/help

Whenever you open this webpage in Chrome, it will display the current version and automatically check for any updates that have been released.

Chrome 106 Released – Google Fixed 20 Security Bugs – Update Now!

Tags: chrome bugs

Comments (0)

Sep 28 2022

How Can WAF Prevent OWASP Top 10?

Category: next generation firewall,Web Security — DISC @ 9:11 am

How Can WAF Prevent OWASP Top 10?

The OWASP Top 10 security risks point out the common vulnerabilities seen in web applications. But it does not list the set of attack vectors that WAFs (Web Application Firewalls) can simply block. This is but a myth often propagated by many a security vendor. OWASP Top 10 protection is the joint responsibility of the security vendor and the application developers.

There is a lot that an effective security solution and WAF can do to secure OWASP vulnerabilities. But in some cases, the security solution may not be able to give complete coverage against it and requires the developers/ organizations to take preventive action.

In this article, we help you understand how a comprehensive, intelligent, and fully managed WAF can augment OWASP Top 10 protection.

A Quick Introduction to WAF

WAF is the first line of defense between the web application and the web traffic, filtering out malicious requests and bad traffic at the network edge. The best WAFs are part of larger security solutions that combine deep, intelligent scanning, bot management, API protection, etc., with OWASP protection. They also leverage self-learning AI, behavioral and pattern analysis, security analytics, global threat feeds, and cloud computing in combination with human expertise.

WAFs and OWASP Top 10 Protection

Broken Access Control

To effectively prevent this OWASP vulnerability, organizations must fix their access control model. WAFs can help organizations by

Proactively identify attack vectors leveraged by attackers to exploit vulnerabilities such as design flaws, bugs, default passwords, vulnerable components, etc.
Testing for the insecure direct object reference, local file inclusions, and directory traversals
Providing visibility into the security posture, including access control violations
Implementing custom rate limiting and geo limiting policies.

Cryptographic Failures

The encryption of everything, in rest and transit, is necessary for OWASP Top 10 protection against cryptographic failures. WAFs, augment protection by testing for weak SSL/TLS ciphers, insufficient transport layer protection, crypto agility, sensitive information sent via unencrypted channels, credentials transmitted over encrypted channels, etc. Organizations can then fix any issues that are identified.

Injections

User input sanitization, validation, and parameterized queries are critical to prevent this risk. For OWASP protection against injections, WAFs use a combination of whitelist and blacklist models to identify all types of injection – command, SQL, code, etc.

WAFs leverage behavior, pattern, and heuristic analytics and client reputation monitoring to proactively detect anomalous behavior and prevent malicious requests from reaching and being executed by servers. They use virtual patching to instantly secure injection flaws and prevent attackers’ exploitation.

Also, Download Your Copy of OWASP Top 10 2022 Playbook

Insecure Design

By integrating the WAF and the security solution right into the early stages of software development, organizations can continuously monitor and test for security weaknesses. For instance, organizations can identify insecure codes, components with known vulnerabilities, flawed business logic, etc., in the early SDLC stages by deploying a WAF and fixing them. This helps build secure-by-design websites and apps.

Security Misconfigurations

For OWASP Top 10 protection against security misconfigurations, WAFs use a combination of fingerprinting analysis and testing. They fingerprint web servers, web frameworks, and the application itself and test error codes, HTTP methods, stack traces, and RIA cross-domain policies to look for security misconfigurations.

WAFs use automated workflows to intelligently detect misconfigurations, including default passwords, configurations, unused features, verbose error messages, etc. They virtually patch these misconfigurations to prevent exploitation by threat actors. They offer real-time visibility into the security posture and insightful reports, enabling organizations to keep hardening their security posture.

Vulnerable and Outdated Components

The intelligent scanning capabilities of WAFs enable organizations to continuously detect vulnerable and outdated components. Here, again instantaneous virtual patching helps secure these OWASP vulnerabilities until fixed by developers.

Identification and Authentication Failures

Organizations must implement effective session management policies, strong password policies, and multi-factor authentication for OWASP Top 10 protection against identification and authentication failures. Intelligent WAFs leverage their strong technological capabilities to accurately identify these failures.

They leverage their bot detection capabilities – workflow validation, fingerprinting, and behavioral analysis – to prevent brute force attacks, credential stuffing, and other bot attacks resulting from the exploitation of broken authentication and session management.

Software and Data Integrity Failures

WAFs are equipped to detect these OWASP security risks effectively using their continuous scanning and pen-testing capabilities. They use a combination of negative and positive security models to prevent this risk.

Security Logging and Monitoring Failures

The best WAFs offer ongoing logging and monitoring features and complete visibility into the security posture. They offer cohesive dashboards that can be used to generate customizable and visual reports, gain critical insights and recommendations to improve security, etc.

Server-Side Request Forgery (SSRF)

For protection against SSRF, implementation of positive rules, user input validation, etc., by the organizations is critical. WAFs, on their end, can be configured to block unwanted website traffic by default, encrypting responses, preventing HTTP redirections, etc.

Web Application Firewall WAF A Complete Guide

Tags: Next-Gen WAF protection, OWASP Top 10, WAF

Comments (0)

Sep 16 2022

Browser-in-the-browser attacks

Category: Web Security — DISC @ 8:30 am

Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t!

Researchers at threat intelligence company Group-IB just wrote an intriguing real-life story about an annoyingly simple but surprisingly effective phishing trick known as BitB, short for browser-in-the-browser.

You’ve probably heard of several types of X-in-the-Y attack before, notably MitM and MitB, short for manipulator-in-the-middle and manipulator-in-the-browser.

In a MitM attack, the attackers who want to trick you position themselves somewhere “in the middle” of the network, between your computer and the server you’re trying to reach.

(They might not literally be in the middle, either geographically or hop-wise, but MitM attackers are somewhere along the route, not right at either end.)

The idea is that instead of having to break into your computer, or into the server at the other end, they lure you into connecting to them instead (or deliberately manipulate your network path, which you can’t easily control once your packets exit from your own router), and then they pretend to be the other end – a malevolent proxy, if you like.

They pass your packets on to the official destination, snooping on them and perhaps fiddling with them on the way, then receive the official replies, which they can snoop on and tweak for a second time, and pass them back to you as though you’d connected end-to-end just as you expected.

If you’re not using end-to-end encryption such as HTTPS in order to protect both the confidentiality (no snooping!) and integrity (no tampering!) of the traffic, you are unlikely to notice, or even to be able to detect, that someone else has been steaming open your digital letters in transit, and then sealing them again up afterwards.

more details: Serious Security: Browser-in-the-browser attacks – watch out for windows that aren’t!

Web Security for Developers: Real Threats, Practical Defense

Browser Security A Complete Guide

Tags: browser security, web security

Comments (0)

Aug 31 2022

Chrome patches 24 security holes, enables “Sanitizer” safety system

Category: Web Security — DISC @ 8:20 am

Chrome patches 24 security holes, enables “Sanitizer” safety system

Google’s latest Chrome browser, version 105, is out, though the full version number is annoyingly different depending on whether you are on Windows, Mac or Linux.

On Unix-like systems (Mac and Linux), you want 105.0.5195.52, but on Windows, you’re looking for 105.0.5195.54.

According to Google, this new version includes 24 security fixes, though none of them are reported as “in-the-wild”, which means that there weren’t any zero-days patched this time.

Nevertheless, there’s one vulnerability dubbed Critical, and a further eight rated High.

Of the flaws that were fixed, just over half of them are down to memory mismanagement, with nine listed as use-after-free bugs, and four as heap buffer overflows.

Memory bug types explained

A use-after-free is exactly what it says: you hand back memory to free it up for another part of the program, but carry on using it anyway, thus potentially interfering with the correct operation of your app.

Imagine, for instance, that the part of the program that thinks it has now sole access to the offending block of memory receives some untrusted input, and carefully verifies that the new data is safe to use…

…but then, in the instant before it starts using that validated input, your buggy “use-after-free” code interferes, and injects stale, unsafe data into the very same part of memory.

Suddenly, bug-free code elsewhere in the program behaves as if it were buggy itself, thanks to the flaw in your code that just invalidated what was in memory.

Attackers who can figure out a way to manipulate the timing of your code’s unexpected intervention may be able not only to crash the program at will, but also to wrest control from it, thus causing what’s known as remote code execution.

And a heap buffer overflow refers to a bug where you write more data to memory than will fit in the space that was originally allocated to you. (Heap is the jargon term for the collection of memory

blocks that are currently being managed by the system.)

If some other part of the program has a memory block just happens to be near to or next to yours in the heap, then the superfluous data that you just wrote out won’t overflow harmlessly into unused space.

Instead, it will corrupt data that’s in active use somewhere else, which similar consequences to what we just described for a use-after-free bug.

The “Sanitizer” system

Happily, as well as fixing misfeatures that weren’t supposed to be there at all, Google has announced the arrival of a new feature that adds protection against a class of browser flaws known as cross-site scripting (XSS).

XSS bugs are caused by the browser inserting untrusted data, say from a web form submitted by a remote user, directly into the current web page, without checking for (and removing) risky content first.

Imagine, for instance, that you have a web page that offers to show me what a text string of my choice looks like in your funky new font.

If I type in the sample text Cwm fjord bank glyphs vext quiz (a contrived but vaguely meaningful mashup of English and Welsh that contains all 26 letters of the alphabet in just 26 letters, in case you were wondering), then it’s safe for you to put that exact text into the web page you create.

In JavaScript, for example, you could rewrite the body of the web page like this, inserting the text that I supplied without any modification:

document.body.innerHTML = "<p style='font-family:funky;'>Cwm fjord bank glyphs vext quiz"

But if I cheated, and asked you to “display” the text string Cwm fjord<script>alert(42)</script> instead, then it would be reckless for you to do this…

document.body.innerHTML = "<p style='font-family:funky;'>Cwm fjord<script>alert(42)</script>"

…because you would be allowing me to inject untrusted JavaScript code of my choosing directly into your web page, where my code could read your cookies and access data that would otherwise be off-limits.

So, to make what’s known as sanitising thine inputs easier, Chrome has now officially enabled support for a new browser function called setHTML().

This can be used to push new HTML content through a feature called the Sanitizer first, so that if you use this code instead…

document.body.setHTML("<p style='font-family:funky;'>Cwm fjord<script>alert(42)</script>")

…then Chrome will scan the proposed new HTML string for security problems first, and automatically remove any text that could pose a risk.

You can see this in action via the Developer tools by running the above setHTML() code at the Console prompt, and then retrieving the actual HTML that was injected into the document.body variable, as we did here:

Even though we explicitly put a <script> tag in the input that we passed to the setHTML() function, the script code was automatically purged from the output that was created.

If you genuinely need to add potentially dangerous text into an HTML element, you can add a second argument to the setHTML() function that specifies various types of risky content to block or allow.

By default, if this second argument is omitted as above, then the Sanitizer operates at its maximum security level and automatically purges all dangerous content that it knows about.

What to do?

If you’re a Chrome user. Check that you’re up to date by clicking Three dots > Help > About Google Chrome, or by browsing to the special URL chrome://settings/help.
If you’re a web programmer. Learn about the new Sanitizer and setHTML() functionality by reading advice from Google and the MDN Web Docs.

The Browser Hacker’s Handbook

Tags: Chrome patches

Comments (0)

Aug 17 2022

Chrome browser gets 11 security fixes with 1 zero-day – update now!

Category: Web Security,Zero day — DISC @ 8:37 am

The latest update to Google’s Chrome browser is out, bumping the four-part version number to 104.0.5112.101 (Mac and Linux), or to 104.0.5112.102 (Windows).

According to Google, the new version includes 11 security fixes, one of which is annotated with the remark that “an exploit [for this vulnerability] exists in the wild”, making it a zero-day hole.

The name zero-day is a reminder that there were zero days on which even the most well-informed and proactive user or sysadmin could have been patched ahead of the Bad Guys.

Update details

Details about the updates are scant, given that Google, in common with many other vendors these days, restricts access to bug details “until a majority of users are updated with a fix”.

But Google’s release bulletin explicitly enumerates 10 of the 11 bugs, as follows:

CVE-2022-2852: Use after free in FedCM.
CVE-2022-2854: Use after free in SwiftShader.
CVE-2022-2855: Use after free in ANGLE.
CVE-2022-2857: Use after free in Blink.
CVE-2022-2858: Use after free in Sign-In Flow.
CVE-2022-2853: Heap buffer overflow in Downloads.
CVE-2022-2856: Insufficient validation of untrusted input in Intents. (Zero-day.)
CVE-2022-2859: Use after free in Chrome OS Shell.
CVE-2022-2860: Insufficient policy enforcement in Cookies.
CVE-2022-2861: Inappropriate implementation in Extensions API.

As you can see, seven of these bugs were caused by memory mismanagement.

A use-after-free vulnerability means that one part of Chrome handed back a memory block that it wasn’t planning to use any more, so that it could be reallocated for use elsewhere in the software…

…only to carry on using that memory anyway, thus potentially causing one part of Chrome to rely on data it thought it could trust, without realising that another part of the software might still be tampering with that data.

Often, bugs of this sort will cause the software to crash completely, by messing up calculations or memory access in an unrecoverable way.

Sometimes, however, use-after-free bugs can be triggered deliberately in order to misdirect the software so that it misbehaves (for example by skipping a security check, or trusting the wrong block of input data) and provokes unauthorised behaviour.

A heap buffer overflow means asking for a block of memory, but writing out more data than will fit safely into it.

This overflows the officially-allocated buffer and overwrites data in the next block of memory along, even though that memory might already be in use by some other part of the program.

Buffer overflows therefore typically produce similar side-effects to use-after-free bugs: mostly, the vulnerable program will crash; sometimes, however, the program can be tricked into running untrusted code without warning.

The zero-day hole

The zero-day bug CVE-2022-2856 is presented with no more detail than you see above: “Insufficient validation of untrusted input in Intents.”

A Chrome Intent is a mechanism for triggering apps directly from a web page, in which data on the web page is fed into an external app that’s launched to process that data.

Google hasn’t provided any details of which apps, or what sort of data, could be maliciously manipulated by this bug…

…but the danger seems rather obvious if the known exploit involves silently feeding a local app with the sort of risky data that would normally be blocked on security grounds.

What to do?

Chrome will probably update itself, but we always recommend checking anyway.

On Windows and Mac, use More > Help > About Google Chrome > Update Google Chrome.

There’s a separate release bulletin for Chrome fo r iOS, which goes to version 104.0.5112.99, but no bulletin yet [2022-08-17T12:00Z] that mentions Chrome for Android.

On iOS, check that your App Store apps are up-to-date. (Use the App Store app itself to do this.)

You can watch for any forthcoming update announcement about Android on Google’s Chrome Releases blog

The open-source Chromium variant of the proprietary Chrome browser is also currently at version 104.0.5112.101.

Microsoft Edge security notes, however, currently [2022-08-17T12:00Z] say:

August 16, 2022
Microsoft is aware of the recent exploit existing in the wild. We are actively working on releasing a security patch as reported by the Chromium team.

You can keep your eye out for an Edge update on Microsoft’s official Edge Security Updates page.

Chrome browser gets 11 security fixes with 1 zero-day – update now!

Web Security for Developers: Real Threats, Practical Defense

Tags: Chrome browser

Comments (0)

Jul 22 2022

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

Category: Web Security,Zero day — DISC @ 9:13 am

Candiru surveillance spyware DevilsTongue exploited Chrome Zero-Day to target journalists

The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.

Researchers from the antivirus firm Avast reported that the DevilsTongue spyware, developed, by Israeli surveillance firm Candiru, was used in attacks against journalists in the Middle East and exploited recently fixed CVE-2022-2294 Chrome zero-day.

The flaw, which was fixed by Google on July 4, 2022, is a heap buffer overflow that resides in the Web Real-Time Communications (WebRTC) component, it is the fourth zero-day patched by Google in 2022.

Most of the attacks uncovered by Avast researchers took place in Lebanon and threat actors used multiple attack chains to target the journalists. Other infections were observed in Turkey, Yemen, and Palestine since March 2022.

In one case the threat actors conducted a watering hole attack by compromising a website used by employees of a news agency.

The researchers noticed that the website contained artifacts associated with the attempts of exploitation for an XSS flaw. The pages contained calls to the Javascript function “alert” along with keywords like “test”, a circumstance that suggests the attackers were testing the XSS vulnerability, before ultimately exploiting it to inject the loader for a malicious Javascript from an attacker-controlled domain (i.e. stylishblock[.]com).

This injected code was used to route the victims to the exploit server, through a chain of domains under the control of the attacker.

Once the victim lands on the exploit server, the code developed by Candiru gathers more information the target system, and only if the collected data satisfies the exploit server the exploit is used to deliver the spyware.

“While the exploit was specifically designed for Chrome on Windows, the vulnerability’s potential was much wider. Since the root cause was located in WebRTC, the vulnerability affected not only other Chromium-based browsers (like Microsoft Edge) but also different browsers like Apple’s Safari.” reads the analysis published by Avast. “We do not know if Candiru developed exploits other than the one targeting Chrome on Windows, but it’s possible that they did.”

The zero-day was chained with a sandbox escape exploit, but experts were not able to recover it due to the protection implemented by the malware.

After getting a foothold on the victim’s machine, the DevilsTongue spyware attempts to elevate its privileges by exploiting another zero-day exploit. The malicious software targets a legitimate signed kernel driver in a BYOVD (Bring Your Own Vulnerable Driver) fashion. In order to exploit the the driver, it has to be first dropped to the filesystem (Candiru used the path C:\Windows\System32\drivers\HW.sys), experts pointed out that this could be used as an indicator of compromise.

“While there is no way for us to know for certain whether or not the WebRTC vulnerability was exploited by other groups as well, it is a possibility. Sometimes zero-days get independently discovered by multiple groups, sometimes someone sells the same vulnerability/exploit to multiple groups, etc. But we have no indication that there is another group exploiting this same zero-day.” concludes the report.

Tags: Candiru surveillance spyware, Chrome zero-day

Comments (0)

Jul 21 2022

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Category: Web Security,Zero day — DISC @ 2:53 pm

Apple patches “0-day” browser bug fixed 2 weeks ago in Chrome, Edge

Apple has disgorged its latest patches, fixing more than 50 CVE-numbered security vulnerabilities in its range of supported products.

The relevant security bulletins, update numbers, and where to find them online are as follows:

APPLE-SA-2022-07-20-1: iOS 15.6 and iPadOS 15.6, details at HT213346
APPLE-SA-2022-07-20-2: macOS Monterey 12.5, details at HT213345
APPLE-SA-2022-07-20-3: macOS Big Sur 11.6.8, details at HT213344
APPLE-SA-2022-07-20-4: Security Update 2022-005 Catalina, details at HT213343
APPLE-SA-2022-07-20-5: tvOS 15.6, details at HT213342
APPLE-SA-2022-07-20-6: watchOS 8.7, details at HT213340
APPLE-SA-2022-07-20-7: Safari 15.6, details at HT213341

As usual with Apple, the Safari browser patches are bundled into the updates for the latest macOS (Monterey), as well as into the updates for iOS and iPad OS.

But the updates for the older versions of macOS don’t include Safari, so the standalone Safari update (see HT213341 above) therefore applies to users of previous macOS versions (both Big Sur and Catalina are still officially supported), who will need to download and install two updates, not just one.

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: 0-day, browser bug, zero-day

Comments (0)

Jul 18 2022

Tor Browser 11.5 is optimized to automatically bypass censorship

Category: Dark Web,Web Security — DISC @ 8:40 am

Tor Browser 11.5 is optimized to automatically bypass censorship

The Tor Project team has announced the release of Tor Browser 11.5, which introduces functionalities to automatically bypass censorship.

The Tor Project team has announced the release of Tor Browser 11.5, the new version of the popular privacy-oriented browser implements new features to fight censorship.

With previous versions of the browser, circumventing censorship of the Tor Network itself was a manual process that required users to dive into Tor Network settings and chose a bridge to unblock Tor.

Experts pointed out that censorship of Tor isn’t uniform, this means that a certain pluggable transport or bridge configuration may work in one country could not work elsewhere.

The Tor Browser version 11.5 implements a new feature called “Connection Assist”, which was developed to assign automatically the bridge configuration that could allow users in a specific location to bypass censorship.

“In collaboration with the Anti-Censorship team at the Tor Project, we’ve sought to reduce this burden with the introduction of Connection Assist: a new feature that when required will offer to automatically apply the bridge configuration we think will work best in your location for you.” reads the announcement published by the Tor Project. “Connection Assist works by looking up and downloading an up-to-date list of country-specific options to try using your location (with your consent). It manages to do so without needing to connect to the Tor Network first by utilizing moat – the same domain-fronting tool that Tor Browser uses to request a bridge from torproject.org.”

Connection Assist downloading up-to-date list options that optimize the connection from the user’s country. To do this, the browser requests user consent.

Maintainers at the Tor Project pointed out that this is only version 1.0 of the Connection Assist, for this reason, they invite users to submit their feedback to help them improve the user experience in future releases.

“Users from countries where the Tor Network may be blocked (such as Belarus, China, Russia and Turkmenistan) can test the most recent iteration of this feature by volunteering as an alpha tester, and reporting your findings on the Tor forum.” continues the annoucement.

Another feature implemented in version 11.5 is making ‘HTTPS-Only Mode’ which is enabled by default for desktop, and HTTPS-Everywhere will no longer be bundled with Tor Browser.

The above features are all for desktop, the announcement provides updates for Androidrs because the Tor Browser for Android is quite behind desktop in terms of feature parity.

Since the beginning of the year our priorities for Android have been three-fold:

Start releasing regular updates for Android again
Fix the crashes that many Android users have experienced
Begin catching up with Fenix (Firefox for Android) releases

The latest version of the Tor Browser is available on the official download portal

Tor Browser Handbook: Quick Start Guide On How To Access The Deep Web, Hide Your IP Address and Ensure Internet Privacy (Includes a Tor Installation Guide for Linux & Windows + Over 50 Helpful Links)

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Ask DISC an InfoSec & compliance related question

Tags: Tor Browser

Comments (0)

Jun 22 2022

Privacy-focused Brave Search grew by 5,000% in a year

Category: Web Security — DISC @ 1:49 pm

https://www.bleepingcomputer.com/news/software/privacy-focused-brave-search-grew-by-5-000-percent-in-a-year/

Brave Search, the browser developer’s privacy-centric Internet search engine, is celebrating its first anniversary after surpassing 2.5 billion queries and seeing almost 5,000% growth in a year.

To celebrate this success, Brave Software announced that Brave Search is finally exiting its beta phase and will become the default search engine for all users of the Brave browser.

Additionally, a new search results curation feature called “Goggles” will be released in beta and made available to those who wish to test it.

Brave Search grows by almost 5,000%

Since launching in June 2021, Brave Search grew by almost 5,000%, starting with 8.1 Million search queries in June 2021 and growing to 411.7 million by the end of May 2022.

Brave says it grew its current query volume four times quicker than DuckDuckGo, likely assisted by its large community of Brave Browser users.

Brave says that independence has remained at the epicenter of the company’s focus, with Brave Search users receiving 92% of their queries directly from Brave’s independent search index rather than through Bing and Google indexes.

“Search engines that depend too much or exclusively on Big Tech are subject to censorship, biases, and editorial decisions,” explains Brave in the blog post.

“Brave Search is committed to openness in search. It does not manipulate its algorithm to bias, filter, or down-rank results (unless it’s compelled by law to do so).”

Besides focusing on privacy and independence, Brave also strived to offer new mechanisms that would enrich the experience of using Brave Search.

Discussions were introduced this April as a new feature on Brave Search to draw results from social media platforms like Reddit.

Why you should download Brave Browser NOW! by [Eddie Lance]

Tags: Brave browser, Brave search

Comments (0)

Jun 21 2022

Internet scans find 1.6 million secrets leaked by websites

Category: Web Security — DISC @ 1:47 pm

https://portswigger.net/daily-swig/internet-scans-find-1-6-million-secrets-leaked-by-websites

Security researchers have apparently discovered more than 1.6 million secrets leaked by websites, including more than 395,000 exposed by the one million most popular domains.

Modern web applications typically embed API keys, cryptographic secrets, and other credentials within JavaScript files in client-side source code.

Aided by a tool developed specifically for the task, researchers from RedHunt Labs sought information disclosure vulnerabilities via a “non-intrusive” probe of millions of website home pages and exceptions thrown by debug pages used in popular frameworks.

DON’T MISS Email platform Zimbra patches memcached injection flaw that imperils user credentials

“The number of secrets exposed via the front end of hosts is alarmingly huge,” said Pinaki Mondal, security researcher at RedHunt Labs, in a blog post.

“Once a valid secret gets leaked, it paves the path for lateral movement amongst attackers, who may decide to abuse the business service account leading to financial losses or total compromise.”

Millions of secrets

The first of two mammoth scans focused on the one million most heavily trafficked websites. It yielded 395,713 secrets, three quarters of which (77%) were related to Google services reCAPTCHA, Google Cloud, or Google OAuth.

Google’s reCAPTCHA alone accounted for more than half (212,127) of these secrets – and the top five exposed secret types was completed by messaging app LINE and Amazon Web Services (AWS).

Phase two, which involved scanning around 500 million hosts, surfaced 1,280,920 secrets, most commonly pertaining to Stripe, followed by Google reCAPTCHA, Google Cloud API, AWS, and Facebook.

A majority of exposures across both phases – 77% – occurred in frontend JavaScript files.

Most JavaScript was served through content delivery networks (CDNs), with the Squarespace CDN leading the way with over 197,000 exposures.

Mondal blamed the “decades”-old problem of leaked secrets on the “complexities of the software development lifecycle”, adding: “As the code-base enlarges, developers often fail to redact the sensitive data before deploying it to production.”

‘Non-intrusive’ research

The RedHunt Labs research team told The Daily Swig that they are still “continuously reporting the secrets through automation to their source domains provided they have an email [address] mentioned on their home page”.

The researchers said they had encountered no legal problems related to the research so far.

“We received a few abuse reports against the boxes on which the scan was run and we have handled them,” they said.

The “extremely non-intrusive” process involved no “more than a few HTTP requests per domain” and no written actions – “only read requests to HTTP URLs and JavaScript files were sent”.

The captured secrets, meanwhile, are “stored on an encrypted volume with access to very limited folks” and “will be disposed of after a month”, added the researchers.

Red Hunt Labs has open-sourced the tool developed for the research and created a demonstration video:

Called HTTPLoot, it can crawl and scrape URLs asynchronously, check for leaked secrets in JavaScript files, find and complete forms to trigger error/debug pages, extract secrets from debug pages, and automatically detect tech stacks.

Redhunt Labs has set out four best practices for preventing and mitigating leaked secrets, including setting restrictions on access keys, centrally managing secrets in a restricted environment or config file, setting up alerts for leaked secrets, and continuously monitoring source code for information leakage issues.

Web Application Security: Exploitation and Countermeasures for Modern Web Applications

Comments (0)

May 24 2022

Microsoft warns of new highly evasive web skimming campaigns

Category: Dark Web,Web Security — DISC @ 8:03 am

Microsoft warns of new highly evasive web skimming campaigns

Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection.

Microsoft security researchers recently observed web skimming campaigns that used multiple obfuscation techniques to avoid detection.

The threat actors obfuscated the skimming script by encoding it in PHP, which, in turn, was embedded in an image file, using this trick the code is executed when a website’s index page is loaded.

The experts also observed compromised web applications injected with malicious JavaScript masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts. Some skimming scripts also included anti-debugging mechanisms.

The term web skimming refers to the criminal practice to harvest payment information of visitors of a website during checkout. Crooks use to exploit vulnerabilities in e-commerce platforms and CMSs to inject the skimming script into the page of the e-store. In some cases, attackers can exploit vulnerabilities in installed third-party plugins and themes to inject malicious scripts.

“During our research, we came across two instances of malicious image files being uploaded to a Magento-hosted server. Both images contained a PHP script with a Base64-encoded JavaScript, and while they had identical JavaScript code, they slightly differed in their PHP implementation.” reads the analysis published by Microsoft. “The first image, disguised as a favicon (also known as a shortcut or URL icon), was available on VirusTotal, while the other one was a typical web image file discovered by our team.”

Microsoft also observed attackers masquerading as Google Analytics and Meta Pixel (formerly Facebook Pixel) scripts to avoid raising suspicion.

The attackers place a Base64-encoded string inside a spoofed Google Tag Manager code. This string decoded to

trafficapps.business

/data.php?p=form.

Encoded skimming script in a spoofed Google Analytics code (Source Microsoft)

Experts noticed that the attackers behind the Meta Pixel spoofing used newly registered domains (NRDs) using HTTPS.

“Given the increasingly evasive tactics employed in skimming campaigns, organizations should ensure that their e-commerce platforms, CMSs, and installed plugins are up to date with the latest security patches and that they only download and use third-party plugins and services from trusted sources,” Microsoft concludes.

Web Scraping with Python: Collecting More Data from the Modern Web

👇 Please Follow our LI page…

DISC InfoSec

#InfoSecTools and #InfoSectraining

#InfoSecLatestTitles

#InfoSecServices

Tags: Web Scraping, web skimming

Comments (0)

« Previous Page — Next Page »

Find Web Server Vulnerabilities with Nikto Scanner.

Lets get started with the installation and how to use this tool

Investigating: is this website safe

Methods to analyze Websites

Ensure SSL is there before making a purchase

Google Safe Browsing: is this website safe

To Report Malicious websites

Check the Blacklist IP Address

Check the Website Safety & Reputation

Conclusion

From web portals to car locks

Dangerous bug in telematics portal

Half-baked

Vulnerability Details

What is SymStealer?

Attack Scenario

Investigating: is this website safe

Methods to analyze Websites

Ensure SSL is there before making a purchase

Google Safe Browsing: is this website safe

To Report Malicious websites

Check the Blacklist IP Address

Check the Website Safety & Reputation

Conclusion

Technical Analysis

Sensitive data can be mined

Integrations

Security fixes

Update Now

A Quick Introduction to WAF

WAFs and OWASP Top 10 Protection

Broken Access Control

Cryptographic Failures

Injections

Insecure Design

Security Misconfigurations

Vulnerable and Outdated Components

Identification and Authentication Failures

Software and Data Integrity Failures

Security Logging and Monitoring Failures

Server-Side Request Forgery (SSRF)

Memory bug types explained

The “Sanitizer” system

What to do?

Update details

The zero-day hole

What to do?

The spyware developed by Israeli surveillance firm Candiru exploited recently fixed CVE-2022-2294 Chrome zero-day in attacks on journalists.

DISC InfoSec

The Tor Project team has announced the release of Tor Browser 11.5, which introduces functionalities to automatically bypass censorship.

DISC InfoSec

Brave Search grows by almost 5,000%

Millions of secrets

‘Non-intrusive’ research

Threat actors behind web skimming campaigns are using malicious JavaScript to mimic Google Analytics and Meta Pixel scripts to avoid detection.

DISC InfoSec

vCISO as a service