00:00
00:00
Wurfel-Waffles
Just a super geeky guy who composes music in spare times.

Age 41, Male

Software Developer

TUM

Canada

Joined on 2/9/12

Level:
2
Exp Points:
20 / 50
Exp Rank:
> 100,000
Vote Power:
1.98 votes
Audio Scouts
2
Rank:
Civilian
Global Rank:
> 100,000
Blams:
0
Saves:
1
B/P Bonus:
0%
Whistle:
Normal
Medals:
22
Supporter:
11m 29d

Danger, rant?

Posted by Wurfel-Waffles - April 4th, 2012


I want to shorten this rant in to a small warn. A few days ago, InfoSec puts up this news on HTTP header SQL injection.

A year ago, silencefreedom and I went to HackInTheBox (you can see his pic on his profile, took at there) to do a small show...off on the most common web app attack knows to man: SQL Injection.

We used HTTP header and cookie poisoning to inject codes. Firefox 4.3. Backtrack 3 on an Asus Eee. Custom Python scripts and proxies.

We just came as visiting rookies but left the regulars and leets some crazy wow facials. Busted NASA.gov and gain access to their control system in 6 steps. All in less than 15 minutes.

If you really want us to reenact the attack and get our whitepapers, please PM or mail through bernd.wurfel@gmail.com
__________

What are my points? Well: bad guys can hijack your system, anytime at anywhere by automatic malicious scripts that do drive-by or have a nice hitchhike along with any site that has inject-able vulnerability.

Anti-virus is useless in this case. And, up-to-date defensive methods against this kind of attack are very weak and poorly researched.
__________

Just a concern. Life is tough.

We are timid musicians, and ninjas-in-grey.


Comments

You're right - that sort of attack used to be standard fare years ago. At the time, there were some resource heavy apps to deal with sql injections.... didn't zone alarm have such a defense?
Yet another good reason not to do anything crucial w/ an online computer.

Internet Security (what they called) package goes along with usual Anti-Virus products. Zone Alarm is one of the most advanced IS packages.

Drive-by download and browser hijack are free to roam, doesn't matter if IS is on or off. Because most have to deal with session cookies, only or widely infect all types of cookie. Most site required session certificates to access (spam and XSS counters which enable by reCaptcha or common image-based Captcha. However!! Captcha there is to counter non-embedded bots, not auto scripts that already infected or embedded incoming cookies. Therefore Captcha eventually becomes a bait, for the victim. Use enemy to kill enemy.

Summarized simple steps to gain simple drive-by (all could be just done by auto scripts):
> find the vul (SQL(s), PHP, JSP, HTML...)
> inject/embed scripts. set destinations link to malware (mostly backdoor, rootkit and trojans. Sometime scareware too!)
> enabled live-update or/and semi-mutation.
> infect whoever sessions entering the site
> Kill defenses. Or infect defenses too, better way to fool victim.
> ???
> wreak havoc! (Profits!)

I sometime feel like us 2 are too serious on these. Indeed it is too serious too us researchers but not even bug some hair of whoever reads our stuff.

We used to use playful/offensive puns and phrases in most of my whitepapers; sometime I just want to play with the readers. Just to make this hardest-to-swallow topics easier to chew with.

I just want to make this world safer and more marvelous.