söndag 31 oktober 2010

DZone presenterar OWASP

Nu presenteras OWASP och OWASP Top 10 i DZones Javalobby. Oerhört kul att vi når ut till utvecklare! Nu väntar jag bara på att senaste Top 10 presenteras på MSDN också :P.

lördag 30 oktober 2010

Testa säkerheten i din webbläsare

Säkerheten i webbapplikationer är som bekant helt beroende av säkerheten i webbläsaren, både läsarens stöd för säkerhetsfunktioner och läsarens avsaknad av säkerhetsbuggar.

Det finns ett intressant testverktyg på nätet – Browserscope Security Test. Där kan du enkelt testa hur väl din webbläsare stödjer säkerhetsfunktioner såsom Strict Transport Security och om den skyddar mot kända hack såsom JSON hijacking.

Det finns också en sammanfattning av hur olika webbläsare klarar sig:

  • Bäst just nu är Chrome 6 som godkänt på 15 av 16 test.
  • Firefox 3.6 får bara 10 av 16 men med den senaste versionen av NoScript så når Firefox 14 av 16.
  • Safari 5 får 13 av 16.
  • IE 8 får 10 av 16 men IE 9-betan når 12 av 16.
  • Opera får 9 av 16.


/John Wilander, chapter co-leader

fredag 29 oktober 2010

Lura filtret med Unicode-ekvivalenter

Gareth Hayes, en av världens vassaste på JavaScript-hacking publicerade idag en uppslagningstabell för Unicode-ekvivalenter i JavaScript. Den kan användas för att gå förbi filter, för att skapa icke-alfanumerisk (obfuskerad) JavaScript och kanske till och med för homograf-attacker. Hela tabellen som JavaScript-struktur nedan – bara att börja fuzza.


Kolla också hans översättningsverktyg Hackvertor:
http://hackvertor.co.uk/hvurl/1o


var lookup={
"A":["00C0","00C1","00C2","00C3","00C4","00C5","0100","0102","0104","01CD","01DE","01E0","01FA","0200","0202","0226","023A","0386","0410","04D0","04D2","04D4","1E00","1EA0","1EA2","1EA4","1EA6","1EA8","1EAA","1EAC","1EAE","1EB0","1EB2","1EB4","1EB6","1F08","1F09","1F0A","1F0B","1F0C","1F0D","1F0E","1F0F","2C2D","2C6F","A656","FF21","1D400","1D434","1D468","1D49C","1D4D0","1D504","1D538","1D56C","1D5A0","1D5D4","1D608","1D63C","1D670","1D6E2","1D71C","1D726","1D756","1D790"],
"C":["00C7","0106","0108","010A","010C","0187","023B","1E08","2102","A73E","FF23","1D402","1D436","1D46A","1D49E","1D4D2","1D56E","1D5A2","1D5D6","1D60A","1D63E","1D672"],
"E":["00C8","00C9","00CA","00CB","0112","0114","0116","0118","011A","018E","0204","0206","0228","0246","0388","042D","0464","04EC","1E14","1E16","1E18","1E1A","1E1C","1EB8","1EBA","1EBC","1EBE","1EC0","1EC2","1EC4","1EC6","1F18","1F19","1F1A","1F1B","1F1C","1F1D","2130","FF25","1D404","1D438","1D46C","1D4D4","1D508","1D53C","1D570","1D5A4","1D5D8","1D60C","1D640","1D674","1D6E8","1D720","1D72E","1D75A","1D768","1D794","1D7A2"],
"I":["00CC","00CD","00CE","00CF","0128","012A","012C","012E","0130","0132","0197","01CF","0208","020A","0406","040D","0418","04E2","04E4","1E2C","1E2E","1EC8","1ECA","2110","2C0B","FF29","1D408","1D43C","1D470","1D4D8","1D540","1D574","1D5A8","1D5DC","1D610","1D644","1D678","1D724","1D75E","1D798"],
"D":["00D0","010E","0110","0189","018A","018B","1E0A","1E0C","1E0E","1E10","1E12","A779","FF24","1D403","1D437","1D46B","1D49F","1D4D3","1D507","1D53B","1D56F","1D5A3","1D5D7","1D60B","1D63F","1D673","1D6E5"],
"N":["00D1","0143","0145","0147","014A","019D","01F8","0220","1E44","1E46","1E48","1E4A","2115","A790","A7A4","FF2E","1D40D","1D441","1D475","1D4A9","1D4DD","1D511","1D579","1D5AD","1D5E1","1D615","1D649","1D67D","1D728","1D72B","1D762","1D765","1D79C","1D79F"],
"O":["00D2","00D3","00D4","00D5","00D6","00D8","014C","014E","0150","019F","01A0","01D1","01EA","01EC","01FE","020C","020E","022A","022C","022E","0230","041E","04E6","04E8","04EA","1E4C","1E4E","1E50","1E52","1ECC","1ECE","1ED0","1ED2","1ED4","1ED6","1ED8","1EDA","1EDC","1EDE","1EE0","1EE2","2C9E","A668","A66A","A66C","A74A","A74C","FF2F","1D40E","1D442","1D476","1D4AA","1D4DE","1D512","1D546","1D57A","1D5AE","1D5E2","1D616","1D64A","1D67E","1D6C0","1D723","1D72A","1D72D","1D75D","1D764","1D766","1D797","1D79E","1D7A0"],
"U":["00D9","00DA","00DB","00DC","0168","016A","016C","016E","0170","0172","01AF","01D3","01D5","01D7","01D9","01DB","0214","0216","0244","0423","04AE","04B0","04EE","04F0","04F2","1E72","1E74","1E76","1E78","1E7A","1EE4","1EE6","1EE8","1EEA","1EEC","1EEE","1EF0","FF35","1D414","1D448","1D47C","1D4B0","1D4E4","1D518","1D54C","1D580","1D5B4","1D5E8","1D61C","1D650","1D684"],
"Y":["00DD","0176","0178","01B3","0232","024E","1E8E","1EF2","1EF4","1EF6","1EF8","1EFE","FF39","1D418","1D44C","1D480","1D4B4","1D4E8","1D51C","1D550","1D584","1D5B8","1D5EC","1D620","1D654","1D688","1D6F6","1D730","1D76A","1D7A4"],
"G":["011C","011E","0120","0122","0193","01E4","01E6","01F4","1E20","A77D","A77E","A7A0","FF27","1D406","1D43A","1D46E","1D4A2","1D4D6","1D50A","1D53E","1D572","1D5A6","1D5DA","1D60E","1D642","1D676","1D6E4"],
"H":["0124","0126","021E","0389","1E22","1E24","1E26","1E28","1E2A","1F28","1F29","210B","210D","2C67","A78D","FF28","1D407","1D43B","1D46F","1D4D7","1D573","1D5A7","1D5DB","1D60F","1D643","1D677","1D722","1D75C","1D796"],
"J":["0134","0248","FF2A","1D409","1D43D","1D471","1D4A5","1D4D9","1D50D","1D541","1D575","1D5A9","1D5DD","1D611","1D645","1D679"],
"K":["0136","0198","01E8","1E30","1E32","1E34","2C69","A740","A742","A744","A7A2","FF2B","1D40A","1D43E","1D472","1D4A6","1D4DA","1D50E","1D542","1D576","1D5AA","1D5DE","1D612","1D646","1D67A","1D725","1D75F","1D799"],
"L":["0139","013B","013D","013F","0141","023D","1E36","1E38","1E3A","1E3C","1EFA","2112","2C60","2C62","2CD0","A746","A748","A780","FF2C","1D40B","1D43F","1D473","1D4DB","1D50F","1D543","1D577","1D5AB","1D5DF","1D613","1D647","1D67B","1D760"],
"R":["0154","0156","0158","0210","0212","024C","1E58","1E5A","1E5C","1E5E","211B","2C64","A75A","A782","A7A6","FF32","1D411","1D445","1D479","1D4E1","1D57D","1D5B1","1D5E5","1D619","1D64D","1D681"],
"S":["015A","015C","015E","0160","0218","1E60","1E62","1E64","1E66","1E68","2C7E","A784","A7A8","FF33","1D412","1D446","1D47A","1D4AE","1D4E2","1D516","1D54A","1D57E","1D5B2","1D5E6","1D61A","1D64E","1D682"],
"T":["0162","0164","0166","01AC","01AE","021A","023E","1E6A","1E6C","1E6E","1E70","A786","FF34","1D413","1D447","1D47B","1D4AF","1D4E3","1D517","1D54B","1D57F","1D5B3","1D5E7","1D61B","1D64F","1D683","1D6F5","1D72F","1D769","1D7A3"],
"W":["0174","1E80","1E82","1E84","1E86","1E88","2C72","FF37","1D416","1D44A","1D47E","1D4B2","1D4E6","1D51A","1D54E","1D582","1D5B6","1D5EA","1D61E","1D652","1D686"],
"Z":["0179","017B","017D","01B5","0224","1E90","1E92","1E94","2C6B","2C7F","A762","FF3A","1D419","1D44D","1D481","1D4B5","1D4E9","1D585","1D5B9","1D5ED","1D621","1D655","1D689","1D6E7","1D721","1D75B","1D795"],
"B":["0181","0182","0243","1E02","1E04","1E06","212C","FF22","1D401","1D435","1D469","1D4D1","1D505","1D539","1D56D","1D5A1","1D5D5","1D609","1D63D","1D671","1D6E3","1D71D","1D757","1D791"],
"F":["0191","1E1E","2131","2132","A77B","FF26","1D405","1D439","1D46D","1D4D5","1D509","1D53D","1D571","1D5A5","1D5D9","1D60D","1D641","1D675","1D7CA"],
"M":["019C","1E3E","1E40","1E42","2133","2C6E","FF2D","1D40C","1D440","1D474","1D4DC","1D510","1D544","1D578","1D5AC","1D5E0","1D614","1D648","1D67C","1D727","1D761","1D79B"],
"P":["01A4","1E54","1E56","2119","2C63","A750","A752","A754","FF30","1D40F","1D443","1D477","1D4AB","1D4DF","1D513","1D57B","1D5AF","1D5E3","1D617","1D64B","1D67F","1D72C","1D767","1D7A1"],
"V":["01B2","0245","1E7C","1E7E","1EFC","A75E","FF36","1D415","1D449","1D47D","1D4B1","1D4E5","1D519","1D54D","1D581","1D5B5","1D5E9","1D61D","1D651","1D685"],
"X":["1E8A","1E8C","FF38","1D417","1D44B","1D47F","1D4B3","1D4E7","1D51B","1D54F","1D583","1D5B7","1D5EB","1D61F","1D653","1D687","1D6F8","1D732","1D76C","1D7A6"],
"Q":["211A","A756","A758","FF31","1D410","1D444","1D478","1D4AC","1D4E0","1D514","1D57C","1D5B0","1D5E4","1D618","1D64C","1D680"],
                0:["0030","0660","06F0","07C0","0966","09E6","0A66","0AE6","0B66","0BE6","0C66","0CE6","0D66","0E50","0ED0","0F20","1040","1090","17E0","1810","1946","19D0","1A80","1A90","1B50","1BB0","1C40","1C50","A620","A8D0","A900","A9D0","AA50","ABF0","FF10","104A0","11066","1D7CE","1D7D8","1D7E2","1D7EC","1D7F6"],
1:["0031","0661","06F1","07C1","0967","09E7","0A67","0AE7","0B67","0BE7","0C67","0CE7","0D67","0E51","0ED1","0F21","1041","1091","17E1","1811","1947","19D1","1A81","1A91","1B51","1BB1","1C41","1C51","A621","A8D1","A901","A9D1","AA51","ABF1","FF11","104A1","11067","1D7CF","1D7D9","1D7E3","1D7ED","1D7F7"],
2:["0032","0662","06F2","07C2","0968","09E8","0A68","0AE8","0B68","0BE8","0C68","0CE8","0D68","0E52","0ED2","0F22","1042","1092","17E2","1812","1948","19D2","1A82","1A92","1B52","1BB2","1C42","1C52","A622","A8D2","A902","A9D2","AA52","ABF2","FF12","104A2","11068","1D7D0","1D7DA","1D7E4","1D7EE","1D7F8"],
3:["0033","0663","06F3","07C3","0969","09E9","0A69","0AE9","0B69","0BE9","0C69","0CE9","0D69","0E53","0ED3","0F23","1043","1093","17E3","1813","1949","19D3","1A83","1A93","1B53","1BB3","1C43","1C53","A623","A8D3","A903","A9D3","AA53","ABF3","FF13","104A3","11069","1D7D1","1D7DB","1D7E5","1D7EF","1D7F9"],
4:["0034","0664","06F4","07C4","096A","09EA","0A6A","0AEA","0B6A","0BEA","0C6A","0CEA","0D6A","0E54","0ED4","0F24","1044","1094","17E4","1814","194A","19D4","1A84","1A94","1B54","1BB4","1C44","1C54","A624","A8D4","A904","A9D4","AA54","ABF4","FF14","104A4","1106A","1D7D2","1D7DC","1D7E6","1D7F0","1D7FA"],
5:["0035","0665","06F5","07C5","096B","09EB","0A6B","0AEB","0B6B","0BEB","0C6B","0CEB","0D6B","0E55","0ED5","0F25","1045","1095","17E5","1815","194B","19D5","1A85","1A95","1B55","1BB5","1C45","1C55","A625","A8D5","A905","A9D5","AA55","ABF5","FF15","104A5","1106B","1D7D3","1D7DD","1D7E7","1D7F1","1D7FB"],
6:["0036","0666","06F6","07C6","096C","09EC","0A6C","0AEC","0B6C","0BEC","0C6C","0CEC","0D6C","0E56","0ED6","0F26","1046","1096","17E6","1816","194C","19D6","1A86","1A96","1B56","1BB6","1C46","1C56","A626","A8D6","A906","A9D6","AA56","ABF6","FF16","104A6","1106C","1D7D4","1D7DE","1D7E8","1D7F2","1D7FC"],
7:["0037","0667","06F7","07C7","096D","09ED","0A6D","0AED","0B6D","0BED","0C6D","0CED","0D6D","0E57","0ED7","0F27","1047","1097","17E7","1817","194D","19D7","1A87","1A97","1B57","1BB7","1C47","1C57","A627","A8D7","A907","A9D7","AA57","ABF7","FF17","104A7","1106D","1D7D5","1D7DF","1D7E9","1D7F3","1D7FD"],
8:["0038","0668","06F8","07C8","096E","09EE","0A6E","0AEE","0B6E","0BEE","0C6E","0CEE","0D6E","0E58","0ED8","0F28","1048","1098","17E8","1818","194E","19D8","1A88","1A98","1B58","1BB8","1C48","1C58","A628","A8D8","A908","A9D8","AA58","ABF8","FF18","104A8","1106E","1D7D6","1D7E0","1D7EA","1D7F4","1D7FE"],
9:["0039","0669","06F9","07C9","096F","09EF","0A6F","0AEF","0B6F","0BEF","0C6F","0CEF","0D6F","0E59","0ED9","0F29","1049","1099","17E9","1819","194F","19D9","1A89","1A99","1B59","1BB9","1C49","1C59","A629","A8D9","A909","A9D9","AA59","ABF9","FF19","104A9","1106F","1D7D7","1D7E1","1D7EB","1D7F5","1D7FF"],


"-":["002D","058A","05BE","1400","1806","2010","2011","2012","2013","2014","2015","FE58","FE63","FF0D"],
"|":["FE31","FE32"],
"'":["2019","201A"],
'"':["201D","00BB","301E","301F","201E","FF02"],
">":["203A","2992","2994","3009","300B"],
"]":["2046","27E7","298C","298E","2990","301B","FF3D"],
")":["208E","207E","2769","276B","2986","FE5A","FF09","FF60"],
"}":["2775"],
"(":["207D","208D","2768","276A","2985","FD3E","FE59","FF08","FF5F"],
"[":["2045","27E6","298B","298D","298F","301A","FF3B"],
"<":["2329","276C","276E","2770","27E8","27EA","2991","29FC","3008"],
"{":["2774","2983","FE5B","FF5B"],
"!":["00A1","055C","07F9","203C","2048"],
"#":["FE5F","FF03"],
"%":["066A","FE6A","FF05"],
"&":["FE60","FF06"],
"*":["204E","2051","FE61","FF0A"],
",":["055D","060C","07F8","1363","1802","1808","3001","A60D","FE10","FE11","FE50","FE51","FF0C","FF64"],
".":["0589","06D4","0701","0702","1362","166E","1803","1809","3002","A60E","FE12","FE52","FF0E","FF61"],
"/":["FF0F"],
":":["0703","0704","0706","0707","0708","0709","1364","1365","1366","1804","204F","205D","FE13","FE55","FF1A"],
"\\":["FE68","FF3C"]
}

tisdag 26 oktober 2010

Firesheep, så funkar det

Jag blev idag intervjuad av TV4-nyheterna om cookie-sniffaren Firesheep, en plug-in till Firefox som sniffar upp sessionskakor för populära tjänster på det nätverk man är kopplad till. Intervjun var med som ett inslag i 19-nyheterna också.

Installera och testa Firesheep
Det var lite trassel att få Firesheep att funka så jag tänkte jag postar det här för er som vill testa. Observera att jag inte går i god för programmet. Det kan visa sig vara en elak bakdörr.
  1. Se till att du har Firefox 3.6.* och minst 3.6.10, t ex 3.6.11. Inte 4 beta om du inte vill experimentera.
  2. Ladda hem Firesheep från GitHub.
  3. Öppna xpi-filen med Firefox och installera.
  4. Starta om Firefox om den kräver det.
  5. Nu ska du ha en Firesheep-vy som en kolumn i vänsterkanten. Om inte så Visa -> Sidofält -> Firesheep.
  6. Under Inställningar -> Sekretess: Stäng av ev privat surfningsläge, tillåt cookies och tilllåt tredjeparts-cookies.
  7. Slå på Firesheep med knappen "Start Capturing".
  8. Öppna en annan webbläsare, t ex Chrome.
  9. Logga in på Facebook, Twitter eller Flickr i Chrome.
  10. Kolla Firesheep-vyn i Firefox. Där ska dina olika konton ha dykt upp.
  11. Dubbelklicka på något av dina konton i Firesheep och vips så har du genomfört en session hijacking.
Om du nu suttit på ett öppet trådlöst nät så hade alla andra aktiva sessioner dykt upp i din Firesheep-kolumn. Notera att det är olagligt att utnyttja andras sessioner utan tillstånd. Att avlyssna nätverket och titta på listan är dock helt OK.

Förkonfigurerade tjänster som Firesheep sniffar
Följande tjänster/domäner är förkonfigurerade i Firesheep:
  • Amazon.com
  • Basecamp
  • bit.ly
  • Cisco
  • CNET
  • Dropbox
  • Enom
  • Evernote
  • Facebook
  • Flickr
  • Foursquare
  • GitHub
  • Google (dock ej GMail numer)
  • Gowalla
  • Hacker News
  • Harvest
  • Windows Live
  • New York Times
  • Pivotal Tracker
  • ToorCon: San Diego
  • Slicehost SliceManager
  • tumblr.com
  • Twitter
  • Wordpress
  • Yahoo
  • Yelp

Den underliggande sårbarheten
Vad är då sårbarheten? Jo, tjänster såsom Facebook krypterar bara trafiken vid inloggning (ditt lösenord är alltså skyddat). Efter det så går Facebook tillbaka till okrypterad trafik. Din sessions-cookie är det som Facebook identifierar dig med efter inloggning och den skickas i klartext vid varje anrop till Facebook. Det är den trafiken som Firesheep avlyssnar och plockar upp sessions-info från.

Med din sessions-cookie i min webbläsare så är jag lika inloggad som du är.


PS.
Eftersom det valsat runt så mycket felaktig information så vill jag poängtera två saker:
  1. Firesheep är en plugin till Firefox, dvs ett tilläggsprogram. Det hela handlar alltså inte om något säkerhetshål i Firefox. Det vore lika dumt som att påstå att Windows har problem för att någon skrivit en nätverksskanner som körs på Windows.
  2. Offret kan surfa med valfri webbläsare – Safari, Internet Explorer, Opera, Firefox, Chrome och så vidare. Session hijacking med hjälp av cookies är inte begränsat till en viss webbläsare.
DS.


/John Wilander, chapter co-leader

måndag 18 oktober 2010

500 medlemmar, ny organisation

OWASP Sweden har nu 500 medlemmar. Vilken kraft!

I samband med det och det faktum att vi faktiskt blivit tre år gamla så kommer vi omorganisera lite.

Tre ledare
Till att börja med så kommer ledarskapet bli tredelat:
  • John Wilander, co-leader
  • Mattias Bergling, co-leader
  • Robert Malmgren, co-leader
Mattias och Robert har varit med och drivit chaptret sen starten och Mattias har varit budgetansvarig för AppSec-konferensen i somras. De kommer börja blogga här tillsammans med mig så vi kommer försöka skriva under våra inlägg.

Medlemmar kan söka till ledningsrådet
Sen vill vi också förnya ledningsrådet "OWASP Sweden Board". Därför kommer inom kort en inbjudan skickas ut till alla medlemmar där man får höra av sig med intresse att vara med. Vi vill vara en välkomnande och öppen community och jag hoppas verkligen att det finns en eller två nya som vi kan ta med i ledningsrådet.

Eder ...
/John Wilander, chapter co-leader

söndag 3 oktober 2010

IE eller FF om banken får välja

Säkerheten på webben är starkt beroende av säkerheten i våra webbläsare. Bankerna borde verkligen push:a sina kunder att uppgradera och uppdatera.

Glädjande nog är det bara en av de större bankerna, nämligen Handelsbanken, som fortfarande officiellt stödjer Internet Explorer 6. Förutom Microsofts webbläsare så verkar det vara Firefox som gäller, även på Mac.

För Linuxfolket ser det riktigt skralt ut. En eloge till Skandiabanken där. Å andra sidan skriver Skandiabanken inget om Windows 7 så man undrar hur ofta sidorna uppdateras.

Handelsb. Nordea SEB Skandiab. Swedb.
Windows IE 6-8, FF 3.5.2+ IE 7-8, FF 3.5 IE 8, FF 3.6 IE 7-8, FF 3.5-3.6 IE 7+, FF 3+, Chrome 4+
Mac OS FF 3.5.2+ FF 3.5, Safari 4 FF 3.6, Safari 4 FF 3.5-3.6 FF 3+, Safari 3+, Chrome 4+
Linux (Ubuntu) Inte med e-leg Ingen info Ingen info FF 3.5-3.6 Ingen info

Länkar:
Nordeas krav