Domain: spidynamics.com
Stories and comments across the archive that link to spidynamics.com.
Comments · 15
-
WHOA... nice timing
YOU sir, have amazing timing! I just wrote a 2-part article on this topic! Interesting... mine was published http://portal.spidynamics.com/blogs/rafal/archive/2008/05/06/Static-Code-Analysis-Failures.aspx The Solution: http://portal.spidynamics.com/blogs/rafal/archive/2008/05/15/Hybrid-Analysis-_2D00_-The-Answer-to-Static-Code-Analysis-Shortcomings.aspx Comments welcome!! Interesting that this topic is getting so much attention all of the sudden
-
Sad But True
A good start of this attack would be start with a simple JS port scanner and run the default password check on all webservers
,routers etc connected in the LAN,WAN and then control the Network
A simple JavaScript port scanner is here :
http://www.spidynamics.com/assets/documents/JSport scan.pdf
and default password list of most of the connected devices is here :
http://www.phenoelit.de/dpl/dpl.html
Njoy -
Speaking of Shitty Programmers
-
Re:No substance
With respect to the RSS issue, I assume that the author of the article was trying to explain in a very poorly-worded way discoveries like these:
http://www.spidynamics.com/assets/documents/Hackin gFeeds.pdf (warning: pdf)
http://www.gnucitizen.org/blog/cross-context-scrip ting-with-sage/
etc, etc.
However, I agree that most of the points were simply various different ways unchecked user input can be exploited, and the banking example was absolutely horrible.
My overall impression was that the author either had no idea what he/she was talking about or was aiming for a much less computer-literate audience than slashdot. -
The Invisible Hand of 'Responsible Disclosure'
I read the article last week with great interest, having previous worked for iDefense.
I've posted my thoughts on the top ten failures of 'responsible disclosure' to my blog.
Michael Sutton
Security Evangelist
SPI Dynamics -
The Invisible Hand of 'Responsible Disclosure'
I'd read this article when it first came out and responded with a blog posting, discussing the top 10 failures of responsible disclosure.
-
Don't Get Comfortable Yet
After three months of being pounded with some of the largest Microsoft patch cycles, it looks as though they're providing us with a breather. Don't get too comfortable though, researchers seem to have plenty of Microsoft content in their queue. Look no further than the 7 pending advisories in the ZDI queue - http://www.zerodayinitiative.com/upcoming_advisor
i es.html for proof of that. I've made the following blog post discussing my thoughts on this months Microsoft patches - http://portal.spidynamics.com/blogs/msutton/. -
Re:Javascript means no dice
"Secondly, I can't take your rant seriously. At all. " That's because you don't understand cross-site scripting vulnerabilities. At all. Even if you made a perfect browser without vulnerabilities that implemented JavaScript to the exact EcmaScript specifications, you would still be vulnerable because the XSS vulnerabilities exist in the web applications, not the browser. The design of JavaScript enables this, because the separation between code and data is flimsy (you can insert JavaScript almost everywhere in HTML, with "on
..." events -- you don't even need a script tag); you couldn't do it unintentionally with a web browser that only understood Java, and a Java web application. JavaScript makes it very easy, just like C makes it easy to mishandle pointers and fixed length buffers. If C gets criticized for that, it's fair to criticize JavaScript for making XSS vulnerabilities easy. Microsoft's version of JavaScript is worse due to the insecure functionality (see http://www.quirksmode.org/js/intro.html) added *by design*. People keep getting surprised by the nasty stuff that standards-conforming, but malicious JavaScript can do, from simple stuff like undying windows (JavaScript spawns a new window every time it detects the closing event) from taking over your desktop, including exploiting intranet applications (recent example: http://www.phoneboy.com/node/6 ; original article at http://www.spidynamics.com/spilabs/education/artic les/JS-portscan.html). It's not surprising to me -- hostile code is much more powerful than hostile data (see below).
You also don't understand how much more difficult it is to process hostile code than hostile data. You point out vulnerabilities in handling data as proof that there are other dangers. Given these, and how much more difficult it is to safely handle code than data, you should agree that it is reasonable to highly distrust a browser's handling of JavaScript.
The more ignorant people are, the quicker they are to mock people pointing out security issues. -
Podcast files could contain virusses
World to end unless you buy stuff from the authors
Just predicting next week's USA Today exclusive. -
Why limit this technique to intranet attacks?I ran the SPI Dynamics proof of concept page and it identified various hosts on our intranet. Of course, the interesting stuff (router, firewall, Snapserver) is protected with non-default passwords, but for convenience's sake, I often stay logged in or Firefox defaults my passwords in, so yikes!.
Questions:
- Doesn't this really hinge on what you can do with an image url, and if so, why couldn't you use it to screw up my Gmail account (if I'm already logged in), or my credit card account -- anything where there is an easily discoverable fingerprint and protocol for interesting hacking? Why limit yourself to intranet shenanigans?
- Once you knew what you were attacking (my Netopia router, my Diner's Club online site), what are the limits of what the technology could do?
-
JavaScript scanner Proof of concept URL
SPI Dynamics (featured heavily in the article) released a proof of concept for scanner internal networks using JavaScript last week. Proof of concept: http://www.spidynamics.com/spilabs/js-port-scan/ Whitepaper: http://www.spidynamics.com/assets/documents/JSpor
t scan.pdf While there are a few false positives on my home network, it finds all the Apache and IIS boxes at work! -
JavaScript scanner Proof of concept URL
SPI Dynamics (featured heavily in the article) released a proof of concept for scanner internal networks using JavaScript last week. Proof of concept: http://www.spidynamics.com/spilabs/js-port-scan/ Whitepaper: http://www.spidynamics.com/assets/documents/JSpor
t scan.pdf While there are a few false positives on my home network, it finds all the Apache and IIS boxes at work! -
IE only? Utter rubbish.I think you moved too quickly through it, there's nothing to indicate it's IE only (unless you're karma whoring *grin)
In fact the article explains some of the methods and they will happily work on Mozilla as well;
The JavaScript scanner determines whether there is a computer at an IP address by sending a "ping" using JavaScript "image" objects.
I'm pretty sure I can use javascript in mozilla to create image objects. Why I can do it in Opera too. And if you actually went to the proof of concept page and tried it you would have confirmation it is NOT an IE only problem.
-
Great, no bugs, ... SQL Injection? Crap
It's great that bugs are fixed, but how about investing more in user education, so that people at least realize that they could have every patch imaginable installed but still be owned by SQL injection, a problem with whoever wrote their webpage or app that interfaces with the SQL server and not the SQL server it self.
MySQL is a lot better about it then MSSQL due to the lack of comments, but disastrous things can still be done with this.
For those that are curious, more info on SQL injection can be found here and here. -
Re:Not good enough.
I looked at WebInspect, and it does a decent job at vuln scanning. It also inspects the web pages, forms and parameters. Found an SQL injection bug in one site, which could of lead to session hijacking. The downside - it costs about $5000, but does some cool stuff.