Archive for October, 2010

Capture the Captcha – The Game

October 26th, 2010

Capture the Captcha FlagA Captcha is a type of challenge-response test used in computing to ensure that the response is not generated by a computer. It is a contrived acronym for “Completely Automated Public Turing test to tell Computers and Humans Apart.”

The process usually involves one computer asking a user to complete a simple test (Captcha) which the computer is able to generate and grade. Because other computers are unable to solve the Captcha, any user entering a correct solution is presumed to be Human.There are a lot of Captcha implementations out there, written in JSP, PHP, ASP, .NET which are very poorly implemented and introduce serious bugs in Web applications they are supposed to protect.

We developed 10 different Captcha implementations, each with its own weakness, for participants to break using automation and hacking techniques with the objective of bypassing the human verification process.

Captcha BotCaptcha Human

Teams (or a single participant) are scored on their success in breaking the security behind every presented Captcha on the game.

This CTC contest is designed to serve as an educational exercise to give participants experience in securing Web Applications from automated attacks, as well as conducting and reacting to the sort of Captchas found in the wild.

nahuel bonsai, conferences, security , , , , ,

Bonsai @ BugCON 2010

October 18th, 2010

BugCON logo

BugCON is a security conference that will be held on 27, 28 and October 29 of this year, at the premises of the Instituto Politecnico Nacional, DF, Mexico. Bonsai is participating as Gold sponsor in this conference.

We’re pleased to announce that we will be delivering our Capture the Captcha game, a workshop and a keynote presentation called “Vulnerados por Infantes 2.0 (Owned by 2.0 Kids)”.

You can find registration information for the conference here and the conference schedule here.

nahuel bonsai, conferences, security , , , ,

OWASP Day @ Universidad de la Marina Mercante

October 5th, 2010

Desde el mes de Mayo la Universidad de la Marina Mercante (UdeMM) se incorporó como miembro de OWASP para ayudar a fomentar las metodologías, herramientas y proyectos informáticos que OWASP desarrolla y mantiene con gran esfuerzo.

A partir de esta relación, la UdeMM ofreció su espacio y recursos para llevar adelante un nuevo OWASP Day a realizarse el día 14 de Octubre a las 18:30hs.

Bonsai se hará presente en este evento de la mano de Nahuel Grisolía, participando como ponente en una de las charlas que se están ofreciendo.

Para más información y registración, ingrese aquí.

nahuel bonsai, conferences, security , , , ,

Google Open Redirection Vulnerability

October 5th, 2010

A month ago, we found an Open Redirection vulnerability in Google, the vulnerability was already fixed by the vendor and we were thinking about how we could add value to the disclosure of this vulnerability. After some thinking, we thought that showing how we found the vulnerability was more interesting than the vulnerability itself, so… here we go:

After identifying Twitter’s Open Redirection Vulnerability , we thought it would be cool to find one at Google. Given that “” is huge, we used Google’s search engine and some dorks to narrow down our tests. Interestingly enough, that worked perfectly and we were able to identify vulnerabilities in the first 10 minutes of testing! The following screenshot (just click on the image to enlarge it) illustrates this step:

Google Dork used to find the vulnerability
In this link we found that by browsing:

The affected user was redirected to without any warning, allowing possible phishing attacks. The following screenshots show the complete HTTP traffic:

Burp HTTP Traffic Capture I

And the answer from the server with a new location:

Burp HTTP Traffic Capture II

Doing some other deeper tests and by using Dirbuster, we discovered that other instances/directories were also affected:

New vectors to exploit this kind of vulnerabilities are being discussed in Web security forums, depending on the browser, it might be possible to execute javascript code on the remote browser, thus changing the real risk associated to this type of vulnerabilities.

nahuel bonsai, security , , , ,

Ekoparty 2010 “Hackers go corporate”: Breakfast with CIOs, CEOs and CTOs

October 4th, 2010
A new event was organized as part of the sixth edition of the Ekoparty Security Conference: “Hackers Go Corporate”, and as usual our team was there to establish new relationships and strengthen the ones we already have with our current customers.

In the event, CIOs, CEOs and CTOs from the most important Argentinean companies shared a cup of coffee with the some of the best information security experts from around the world. The event’s objective was to close down the gap between managers and the matters that hackers talk about at the Ekoparty Security Conference.

Andrés Riancho, Bonsai’s CEO, delivered a speech called “Less buffer overflows, more SQL injections” in which he urged the audience to change the way their Web applications are developed. “Nowadays, hackers choose to attack Web applications over daemons like Apache or IIS; and the reason is very simple: Web applications of today are still developed with the same security features the 90’s” Andrés said.

To make Web applications more secure, companies need to change their obsolete development methodologies and integrate security in the software development life cycle. But how do we start? What’s the first step? According to Andrés, the road to secure code starts with performing code reviews and Web application penetration tests, training developers and QA employees in OWASP Top10 and inviting security experts to the design meetings.

andres.riancho bonsai, security , , , , , , , , ,