We’re excited to announce that Bonsai Information Security has partnered with Rapid7! This partnership will allow our company to expand it’s market in north america by leveraging Rapid7’s impressive growth in the last years.

This partnership was possible because of our constant search for excellence, our customer need driven approach to consulting and our service quality. More deals like this, and Bonsai will be soon named Oak!

andres.riancho bonsai, security bonsai, bonsai information security, grow, partners, rapid7, US, USA

El training de Web Application Security de Bonsai se focaliza en el descubrimiento y explotación, manual y automático, de vulnerabilidades en aplicaciones Web. Durante este curso de dos dias, se presentarán una serie de temas teóricos seguidos de prácticas hands-on realizadas por los asistentes. En cada práctica encontrarás vulnerabilidades para explotar, cada una con un diferente nivel de complejidad, las que desafiarán tu comprensión del tema.

Fechas, Ubicación, Cupos y Beneficios

• Consta de dos días completos de 9 a 18 horas. Los días asignados para el próximo training son el Martes  27 y Miércoles 28 de Julio de 2010.
• Se realizará en las aulas multimediales de IT Training Center, Sarmiento 1113, Ciudad Autónoma de Buenos Aires, Capital Federal.
• Al mediodia, los asistentes poseen el beneficio de almorzar en Il’Gato sin cargo.
• Consultar aquellos que deseen un Estacionamiento con precio preferencial.
• Capacidad: 16 asistentes

Más Información

andres.riancho bonsai

During one of our latest engagements we found a weak CAPTCHA implementation being used in the target Web application. The assessment was being performed on-site, and after identifying this vulnerability we started to talk with the CSO about how easy it would be to break it.

The general consensus of course was “very easy”. The problem was that we were unable to find any good CAPTCHA breaking software that average joe could download and run on his computer; so I spent some minutes creating a simple Python script that returns the CAPTCHA solution for this particular implementation.

Before we dig into the script, lets analyze why this CAPTCHA is weak (might not be obvious for some readers):

1. The letters are not rotated
2. All letters have the same height
3. All letters have the exact same color
4. The letters are not deformed in any way
5. The background noise color is the same for the whole image

Now, lets see the code that breaks this CAPTCHA:

from PIL import Image

img = Image.open('input.gif')
img = img.convert("RGBA")

pixdata = img.load()

# Clean the background noise, if color != black, then set to white.
for y in xrange(img.size[1]):
    for x in xrange(img.size[0]):
        if pixdata[x, y] != (0, 0, 0, 255):
            pixdata[x, y] = (255, 255, 255, 255)

img.save("input-black.gif", "GIF")

#   Make the image bigger (needed for OCR)
im_orig = Image.open('input-black.gif')
big = im_orig.resize((116, 56), Image.NEAREST)

ext = ".tif"
big.save("input-NEAREST" + ext)

#   Perform OCR using pytesser library
from pytesser import *
image = Image.open('input-NEAREST.tif')
print image_to_string(image)

This simple script works with ~ 90% of the CAPTCHA images created using this specific implementation. Enjoy!

andres.riancho bonsai, security breaking, captcha, hacking, python, Web Application Security

Bonsai and NopSec have partnered to deliver the second w3af ninja training course in New York City.

The w3af ninja training course is focused on manual and automated discovery and exploitation of web application vulnerabilities using w3af. During this course you’ll also learn how to write your own exploits and customized plugins in order to achieve your goals during a web application penetration test.

This course is an intense hands-on class in which you won’t stop learning for a minute. In each practice we’ll focus on a particular type of web application vulnerability which will be analyzed and understood manually and then it’s detection and exploitation is automated using w3af.

All around the training interesting plugin code snippets will be subject to analysis and modification, which will give you great understanding of the framework and will also give you the means to automate your future web application penetration tests.

Important information

• Date: December 17th / 18th 2009
• Training partners: NopSec, Inc. SOC – 155 Water St., Brooklyn, NY 11201 USA
• More information, and registration is available here.

This is a great opportunity to master the w3af framework, don’t miss it!

andres.riancho bonsai, security, w3af bonsai, nopsec, NYC, training, w3af

Most of us are tired from the usual Cross Site Scripting vulnerabilities that get reported every day in full-disclosure, so when one of our researchers found a XSS in an Open Source project, we hesitated to publish it. After some thinking, we started to realize that maybe it would be interesting to the general public to see a customized XSS payload that would exploit the Web application, which suddenly made our newly discovered XSS vulnerability much more fun.

The vulnerability that we’re going to be exploiting is a persistent cross site scripting in Achievo . For those that do not know, Achievo is a flexible web-based resource management tool for business environments. Achievo’s resource management capabilities will enable organizations to support their business processes in a simple, but effective manner. This vulnerability was found a while ago by our research team, and has been fixed in version 1.4.0.

The vulnerability is a really basic persistent XSS, where we can write virtually anything in the title of a scheduled meeting. As the meetings from a user can be seen by other users, and most interestingly administrators, the XSS can be exploited to elevate privileges in the application.

With the objective of writing the XSS payload, I developed a JavaScript export feature, that allows w3af users to export any HTTP request to JavaScript, that will reproduce the same request when a user loads the script in a browser.

Using the newly created feature, we were able to easily create a JavaScript payload, that when accessed by an Achievo administrator will perform the following tasks:

• Create a new application profile
• Apply administrator privileges to the profile
• Assign the newly created profile to a common user

You can find the customized XSS payload by clicking here. In order to exploit this vulnerability, a user would need to change the first four variables in the script, upload the script to a publicly accessible web server, and then point the Cross Site Scripting to that resource. After some time, and if an Achievo administrator browses through the schedule, the configured user will elevate their privileges to administrator.

In this case it was impossible (because of the application not having that particular feature) to actually upload new files to the web server, but in many other Web applications, it would have been completely possible to create a XSS payload that would use the administrator privileges to upload a specially crafted file to the web server, which would then provide operating system access to the intruder.

With the creation of tools like w3af’s JavaScript export feature, and the huge amount of XSS vulnerabilities found every day, we think that the time for customized XSS payloads written in minutes instead of hours, has arrived!

andres.riancho security, w3af javascript, security, w3af, xss, xss payloads