In fact my details got added  while back, however I haven’t had the time to update the blog.

The issue that got me on there was a cross site scripting issue (Self XSS in this case) in the invite functionality of Google Chat.

Google Chat is used throughout differing Google sites and all them looked like they were vulnerable; However upon checking the cookie returned it would seem that the issue lay not in the translation site or IGoogle as first thought but with GoogleUserContent which is not a site eligible for a reward.

I’d like to thank Adam Mein from the Google Security Team for all of his help and patience in the two and throw of helping to confirm and then assist in getting the issue fixed.

As everyone seems to like pictures I’ll link to a couple of them here

XSS 1

XSS 2

As for the arguments for and against paying for bugs. I’ve still not changed my stance, I’m all for it although my reasons have changed.

I have recently found a new bug in Chrome which would allowed an attacker to run injected code (Javascript / HTML / CSS etc read XSS) into any chrome browser upon visiting a site. One thing to note about this new issue is that this is not a site problem which is the case with virtually all normal XSS issues. In this case the issue is with  Chrome. I won’t go into the issue any more just now as it’s not yet fixed. however had I not already built up a relationship with Google I would most likely have gone to Tipping Point or other types of Bug Auction Sites.

So from my point and hopefully Google’s the program is a sucess due to the new relationships it creates between bug reporters and fixers.

Lastly here is a nice document from the Goggle security team talking about the success of the reward program.

Martin Hall

The Test Manager

Google Vulnerability Research Reward

Some of you may have heard that Google has recently launched a new programme to encourage responsible disclosure of security bugs in their products and websites.

This scheme is called the Google Vulnerability Reward Programme. You can read more about it on Google’s security blog

The basics are that anyone finding a “relevant” bug that could compromise the serurity or privacy of Google’s customers (that’s you & me) will receive a standard amount of $500.00 and if the bug found shows flair then Google may award upto $3,133.7 (spells eleet in hacker talk).

Now most people who try to find any bugs in Google will fail as their systems are some of the most widely used in the world and they can afford to hire the best of the best when it comes to Security Bods, System Testers (called Engineers in Test at Google) and also decent coders.

So we don’t therefore expect things to be easy, however I was surprised like many others to find quite a few issues.

Obviously I can’t post any details about the issues until Google give me the go ahead. However expect some posts in the near future.

The reward programme is a great way for System / Web Testers and Penetration Testers to try out a few things and learn something along the way.

One thing I will say is that Google are getting stricter on the issues reported that count

For example

I found a bug which allowed me to execute JavaScript (XSS) on virtually any of Google’s sites.  However Google deemed that it was not really a bug as it would not really be exploitable in the wild. Meaning that you couldn’t send a link or embed the malicious code on a site and have it actioned.

I still thought it was a major issue XSS on nearly every Google domain however they think otherwise. Either way I’ll keep the method secret in case they change their minds.

So you have to find issues that are going to be exploited in the real world, and also you have to find them first.

I also found a bug on another Google site and I submitted my report and got a reply from a security engineer that someone else had already reported the same issue before me.

If your thinking what’s to stop Google accepting your submissions and then just saying we already know about that one. Well the answer is nothing. It has to be a trust thing. They trust that the reporter will not exploit the bug for their own means and keep the issue secret and the reporters have to trust that Google works on honesty and wouldn’t lie just to save a few hundred or thousand dollars.

So if you have a few hours spare and want to have a bit of fun while learning then have a go.

Remember no automated tools and only test on your own account (nothing destructive).

Try and concentrate on a particular area which ever one you are best at. For me that would be XSS while as you can see from Neal Poole’s posts. He seems to focus more on CSRF.

Good luck.

Ruby Logo

Again this is another note to myself, however it may be useful to others.

Yesterday I was attempting to run a Ruby script to check for ASP .Net Padding Oracle problems on a site and I got the following issue.

undefined method `lines’ for #<String:0x240d448>

I had looked at the Ruby Source code and all looked ok however there was still the issue when running the script.

It turns out that in Ruby Versions prior to Ruby 1.8.7 String doesn’t have a lines method and hence the error received. I was running Ruby 1.8.5

So the fix was a simple upgrade to the latest version of Ruby and then to run the script again and voilla the error is no more an issue.

Hope the above tip helps, if your receiving the same error.

Visual Studio 2005

Yesterday I brought into work an application that I had developed at home. The application was written in VB.Net using Visual Studio 2008.

My work Development environment is Visual Studio 2005 and I needed to update the source code so I tried to load up the solution file and I received the error “The Selected file cannot be opened as a solution or project. Please select a solution file or project file “.

I know from past experience that .sln (solution) files are just text files with references to other code and the development environment.

So if you ever receive the above message and your moving code from Visual Studio 2008 to 2005 then load the sln file in a decent text editor (Notepad ++ will do)

change the top to lines from

Microsoft Visual Studio Solution File, Format Version 10.00
# Visual Studio 2008

to read

Microsoft Visual Studio Solution File, Format Version 9.00
# Visual Studio 2005

save the solution file and now open it in your 2005 development environment.

You may have to refactor some code if you have used new objects or syntax which are new to 2008.

However you should be able to to just code as normal.

The Black Hat Puppet Master

This post is password protected. To view it please enter your password below:

Password:

Symantec 20 XSS issues

I have written a new tool called SubFinder (provisional name subject to change).

It does exactly as the name suggests. It will find Subdomains on any given host. It will do this via a few methods, first it will look in a couple of obvious places and then it will bruteforce the rest.

It will be released in the next couple of days.

I wanted to test it so I ran it against Symantec.com

I got over 200 subdomains found. (not all could be browsed, but loads were)

From the domain list I thought i would check some of them over for XSS issues. The reason that you will find more issues is because firstly these sub domains are usually used to host mini sites, or sub sites. When/If there is a code review then these can be missed.

Also SubDomains are more often than not coded by outsourced suppliers so even if Symantec had great processes in place (which they don’t) , there is a chance that the outsourced suppliers do not.

(1) symantecenterprise XSS

(2) Symantec Connect Search Feature XSS (IE Only?)

(3) https://et.symantec.com XSS (Fixed 17th November 2010?)

(4) http://maillist.entsupport.symantec.com XSS

(5) Bit of a strnge one this, if you go to https://renewalcenter.symantec.com/
and into the email box type
“><</div><script>alert(‘The TestManager SymanTec Xss SubFinderTest’)</script>
you should get an error which states invalid email address entered.
Now change the URL to
https://renewalcenter.symantec.com
and Bingo XSS (is it being stored? making it a sotred XSS
I don’t think so but not 100% sure) (Fixed 17th November 2010?)

(6) http://www.symantec.com/ XSS (IE browsers only?) (Fixed 17th November 2010?)

(7) open redirect to XSS – http://www.messagelabs.co.uk/ XSS – Seems to only work in Firefox?, and not in IE? (Fixed 17th November 2010?)

(8) http://www.symantec.com/ Connect Forward XSS IE only? (Fixed 17th November 2010?)

(9) https://symantecevents XSS
Site development on the above seems to have outsourced to
http://verite.com/our-work/by-client/client-focus/?client_id=2
I’m guessing all of their sites for symantec would be easy targets. (Fixed 17th November 2010?)

(10) http://seer.entsupport.symantec.com/ XSS

(11) http://aka-community.symantec.com

(12) https://careers.symantec.com/ XSS (may need to visit page twice as the
first time sets the cookie)

(13) https://chat.symantec.com XSS

(15) https://www4.symantec.com/ XSS

(16) http://seer.entsupport.symantec.com/ Navbar XSS

(17) Ouch Denial Of Service (DOS) via Bad Param Injection =
http://techcenter.symantec.com redirect to http://techcenter.symantec.com/ecampus/enterprise =
which works fine as do all other URLs on this techcenter subdomain.
However if I now use the url =
http://techcenter.symantec.com/ecampus/enterprise?cat=null&cmd=sc&courseNo=DP6000&EXValue=null&file=null&module&page=null&siteName=sena&type=g_
Then every url on that subdomain gets blown and the server responds with a http 500server error. This creates a Denial of Service on that Subdomain.

(18) http://cybercrimenews.norton.com XSS

(19) Every Symantec customer email address can be grabbed = http://bit.ly/91fZrT just change the id. you could start at 1 and work your way up. This is very easy to automate. looks like over 16 million potential email addresses?.

Nitro Security XSS

Again we come with another (XSS) Cross Site Scripting Bugs on another Security Site.

This time it is on the site of Nitro Security

Now what I find a little bit strange is that Nitro Security states that it has created and sells 3 products which can detect Cross Site Scripting issues on websites.

The issue on there site has been there for a while and one would have thoguht that the company would have run its own tools against its won site to make sure that all is secure.

Unlike other security sites such as Tennable / Nessus etc on Nitro there is no attempt made to protect the site from user created data injections.

And with that I give you Nitro Security XSS Issue.

Nitro Security XSS

The Test Manager Nessus Cross Site Scripting Error

Nessus is a product owned now by Tenable Network Security.

I had originally decided to do a month of Security Site Bugs as most security sites have a higher level of site protection and also they are more of a challenge for a researcher / tester to find bugs on, and lets face it a lot of us  do this for the challenge.

Due to the nature of the security business their sites are usually locked down fairly tight.

However you can still a good few issues here and there.

It would also seem that security sites are just as susceptible to code injections and other types of low hanging fruit.

and with that I give you

Tenable Network Security / Nessus – All your Base are Belong to Us.

Tenable / Nessus All Your Base

Bug Details as follows

Well the security isn’t that bad here, they do block a lot of tags, So this means No Script Tags , No Href tags, No Iframe or Frame Tags, No Img Tags,

So I had to get a little creative and hence you have the popular meme of “all your base”

this is done by firstly a Heading Tag which is not blocked and then I’m allowed to use Div Tags and Object Tags, oh year and I’m also allowed to close the TextArea Tag.

Once I worked out what I could use I put it all together see below for the injection.

</TEXTAREA><div><h1>The Test Manager Month Of Security Site Bugs</h1><object width=”480″ height=”385″><param name=”movie” value=”http://www.youtube.com/v/8fvTxv46ano&amp;hl=en_GB&amp;fs=1″></param><param name=”allowFullScreen” value=”true”></param><param name=”allowscriptaccess” value=”always”></param><embed src=”http://www.youtube.com/v/8fvTxv46ano&amp;hl=en_GB&amp;fs=1″ type=”application/x-shockwave-flash” allowscriptaccess=”always” allowfullscreen=”true” width=”480″ height=”385″></embed></object></div>

Now this is just a bit of fun rather than a fully exploitable bug.  The reason is that I could not get it to work from the URL.

To get the XSS to work you firstly need to have an item in your shopping cart and then checkout.

Then once your on the

https://products.nessus.org/one-page-checkout.asp page

there is a payment information box. Just put your code into that box and checkout. No need to fill in the rest of the form boxes the injection works when the form reloads.

Enjoy.

Martin H

The Test Manager.

I remembered that I had found a similar issue a while back and hadn’t got round to disclosing it to them, so I therefore guess its fine to include in the month of full disclosure.

And with that I give you a new Symantec XSS bug.

Symantec XSS

Notes about the bug are as follows.

the issue is caused by Symantec not checking that html comments cannot be ended via user input. So all I had to do was to close the HMTL comment tag and then insert any code I saw fit. In this case a very simple JavaScript Alert box as is the norm with demonstrating XSS bugs and I also added a little Iframe.