Hidden Exploitable Behaviors in Programming Languages
In February 28th 2015 Egor Homakov wrote an article[1] exposing the dangers in the open() function from Ruby. The function is commonly used when requesting URLs programmatically with the open-uri library. However, instead of requesting URLs you may end up executing operating system commands. Consider the following Ruby script named open-uri.rb: require ‘open-uri’ print open(ARGV[0]).read The following command requests a web page: # ruby open-uri.rb “https://ioactive.com” And the following output is shown: <!DOCTYPE HTML> <!–[if lt IE 9]><html class=”ie”><![endif]–> <!–[if !IE]><!–><html><!–<![endif]–><head> <meta charset=”UTF-8″> <title>IOActive is…
Embedding Defense in Server-side Applications
Applications always contain security flaws, which is why we rely on multiple layers of defense. Applications are still struggling with their defenses, even though we go through exhaustive measures of testing and defense layers. Perhaps we should rethink our approach to application defense, with the goal of introducing defensive methods that cause attackers to cease, or induce them to take incorrect actions based on false premises. There are a variety of products that provide valuable resources when basic, off-the-shelf protection is required or the application source code is…
Let’s Terminate XML Schema Vulnerabilities
XML eXternal Entity (XXE) attacks are a common threat to applications using XML schemas, either actively or unknowingly. That is because we continue to use XML schemas that can be abused in multiple ways. Programming languages and libraries use XML schemas to define the expected contents of XML documents, SAML authentications or SOAP messages. XML schemas were intended to constrain document definitions, yet they have introduced multiple attack avenues. XML parsers should be prepared to manage two types of problematic XML documents: malformed files and invalid files. Malformed files do…
Drupal – Insecure Update Process
Just a few days after installing Drupal v7.39, I noticed there was a security update available: Drupal v7.41. This new version fixes an open redirect in the Drupal core. In spite of my Drupal update process checking for updates, according to my local instance, everything was up to date: Issue #1: Whenever the Drupal update process fails, Drupal states that everything is up to date instead of giving a warning. The issue was due to some sort of network problem….
Money may grow on trees
Sometimes when buying something that costs $0.99 USD (99 cents) or $1.01 USD (one dollar and one cent), you may pay an even dollar. Either you or the cashier may not care about the remaining penny, and so one of you takes a small loss or profit. Rounding at the cash register is a common practice, just as it is in programming languages when dealing with very small or very large numbers. I will describe here how an attacker can make a profit when dealing with the rounding mechanisms…
Die Laughing from a Billion Laughs
Recursion is the process of repeating items in a self-similar way, and that’s what the XML Entity Expansion (XEE)[1] is about: a small string is referenced a huge number of times. Technology standards sometimes include features that affect the security of applications. Amit Klein found in 2002 that XML entities could be used to make parsers consume an unlimited amount of resources and then crash, which is called a billion laughs attack. When the XML parser tries to resolve, the external entities that are included cause the application to start…