We’re excited to announce that Bonsai Information Security has partnered with Rapid7! This partnership will allow our company to expand it’s market in north america by leveraging Rapid7’s impressive growth in the last years.

This partnership was possible because of our constant search for excellence, our customer need driven approach to consulting and our service quality. More deals like this, and Bonsai will be soon named Oak!

andres.riancho bonsai, security bonsai, bonsai information security, grow, partners, rapid7, US, USA

Recently, we’ve found an Open Redirection vulnerability in Twitter. To understand a little more about this, we can cite OWASP’s definition:

“An open redirect is an application that takes a parameter and redirects a user to the parameter value without any validation. This vulnerability is used in phishing attacks to get users to visit malicious sites without realizing it.”

The following Proof of Concept was sent to the Twitter security team:

https://twitter.com/login?redirect_after_login=http://www.bonsai-sec.com

After a successful login, the affected user is redirected to http://www.bonsai-sec.com without any warning allowing possible phishing attacks.

This vulnerability was patched by Twitter security team last week (after we reported it and got almost no answer from them).

Detailed information can be found at: http://www.bonsai-sec.com/en/research/vulnerabilities/twitter-open-redirect-0108.php

nahuel bonsai, security open redirect, open redirection, OWASP, twitter, url redirection, vulnerability

El día 30 de Junio de 2010 se llevó a cabo el OWASP Day en la sede de Paseo Colón de la Facultad de Ingeniería de la Universidad de Buenos Aires. Se realizaron charlas relacionadas con la Seguridad en Aplicaciones Web y otros aspectos relacionados a la Seguridad de la Información.

Bonsai Information Security participó siendo Sponsor y presentando a Nahuel Grisolía, Project Leader de Bonsai, como ponente en una de las charlas.

Más información sobre el OWASP Day aquí.

A continuación, las Slides que se utilizaron en el evento:

nahuel bonsai, conferences, security conferences, conferencias, eventos, events, OWASP, security

El training de Web Application Security de Bonsai se focaliza en el descubrimiento y explotación, manual y automático, de vulnerabilidades en aplicaciones Web. Durante este curso de dos dias, se presentarán una serie de temas teóricos seguidos de prácticas hands-on realizadas por los asistentes. En cada práctica encontrarás vulnerabilidades para explotar, cada una con un diferente nivel de complejidad, las que desafiarán tu comprensión del tema.

Fechas, Ubicación, Cupos y Beneficios

• Consta de dos días completos de 9 a 18 horas. Los días asignados para el próximo training son el Martes  27 y Miércoles 28 de Julio de 2010.
• Se realizará en las aulas multimediales de IT Training Center, Sarmiento 1113, Ciudad Autónoma de Buenos Aires, Capital Federal.
• Al mediodia, los asistentes poseen el beneficio de almorzar en Il’Gato sin cargo.
• Consultar aquellos que deseen un Estacionamiento con precio preferencial.
• Capacidad: 16 asistentes

Más Información

andres.riancho bonsai

During one of our latest engagements we found a weak CAPTCHA implementation being used in the target Web application. The assessment was being performed on-site, and after identifying this vulnerability we started to talk with the CSO about how easy it would be to break it.

The general consensus of course was “very easy”. The problem was that we were unable to find any good CAPTCHA breaking software that average joe could download and run on his computer; so I spent some minutes creating a simple Python script that returns the CAPTCHA solution for this particular implementation.

Before we dig into the script, lets analyze why this CAPTCHA is weak (might not be obvious for some readers):

1. The letters are not rotated
2. All letters have the same height
3. All letters have the exact same color
4. The letters are not deformed in any way
5. The background noise color is the same for the whole image

Now, lets see the code that breaks this CAPTCHA:

from PIL import Image

img = Image.open('input.gif')
img = img.convert("RGBA")

pixdata = img.load()

# Clean the background noise, if color != black, then set to white.
for y in xrange(img.size[1]):
    for x in xrange(img.size[0]):
        if pixdata[x, y] != (0, 0, 0, 255):
            pixdata[x, y] = (255, 255, 255, 255)

img.save("input-black.gif", "GIF")

#   Make the image bigger (needed for OCR)
im_orig = Image.open('input-black.gif')
big = im_orig.resize((116, 56), Image.NEAREST)

ext = ".tif"
big.save("input-NEAREST" + ext)

#   Perform OCR using pytesser library
from pytesser import *
image = Image.open('input-NEAREST.tif')
print image_to_string(image)

This simple script works with ~ 90% of the CAPTCHA images created using this specific implementation. Enjoy!

andres.riancho bonsai, security breaking, captcha, hacking, python, Web Application Security