• issues.apache.org compromised by XSS vulnerability

    13Apr
    Author: ben Categories: Infrastructure, Security Comments: 1


    As discussed in detail by the Apache infrastructure team, a cross-site scripting vulnerability in Atlassian’s JIRA led to a full root account compromise on the ASF’s issue and request tracking server. If you don’t care to read the full story from the infrastructure team, the following sequence of events led to the compromise:

    1. Attackers opened a new JIRA issue with a malicious tinyurl.com link that led to the JIRA page with an XSS vulnerability
    2. Simultaneously, attackers launched a brute force attack on the JIRA login form
    3. Several administrators clicked the tinyurl link, which compromised their cookies (giving the attackers JIRA admin access)
    4. Attackers uploaded malicious a JAR file that collected JIRA passwords at login. One of the compromised passwords had also been used for a local account with full sudo privileges.

    There’s more to the story, but those points capture the bulk of the attack.

    This compromise interests me because it’s an explicit, targeted, successful attack against a security conscious and capable next-generation web technology team. Several techniques were used in this attack:

    • Social engineering. The attackers opened an issue as if they were a trusted source posting a legitimate link. The Apache administrators trusted them.
    • Web application security flaw. XSS is #2 on the OWASP top 10 list.
    • Lack of vigilance. As the infrastructure team points out, the same password was used in a number of cases, and the JIRA user was overly privileged.

    I hear a lot of grumbling when I highlight XSS vulnerabilities in a penetration testing report. “Is this really a serious problem?” and “we’re not a target” and “it doesn’t matter if they steal the cookie” are common complaints. Let’s face it – if the Apache team can be powned, we should all be wary.

    [Slashdot] [Digg] [Reddit] [del.icio.us] [Technorati] [StumbleUpon]
    Tags: , ,

  • Enlightening the Confused Deputy

    09Mar
    Author: zack Categories: Infrastructure, Security Comments: 0

    Confused Deputy
    One of the most interesting (in other words, “dangerous”) vulnerabilities that almost every existing web application falls victim to is cross-site request forgery (CSRF – “sea-surf”). CSRF is a type of malicious attack vector whereby unauthorized commands are transmitted from a user that the website trusts. It is an example of the confused deputy problem. This is different than the widely-known cross-site scripting (XSS) in that CSRF exploits the trust that a site has in the user’s browser, and XSS exploits the trust a user has for a particular web site.

    Read more »

    Tags: , , , ,

  • OWASP Series: Preventing cross-site scripting and SQL injection attacks

    16Nov
    Author: admin Categories: Security Comments: 0

    Recently, I’ve been doing a lot of application security assessments for clients of Applied Trust, the majority of them being black box or grey box testing, all dealing with some form of web application.  The most common problems I find deal with developers not or inadequately sanitizing user supplied input.

    Any time you write a user supplied value back to the page, you need to be leery of cross site scripting (XSS) attacks. Any time you are inserting user supplied input into a database, you need to guard against SQL injection attacks.

    The steps below will teach you how to guard against these attacks…

    Read more »

    Tags: , , , ,

Subscribe:

Popular Posts