Syntax Error Nullification and Coding Analytics Workgroup alt text here

apache

XML signature HMAC truncation authentication bypass

Aug 11th, 2009
by admin.
No comments yet

s2avatarsetting

standards

by
Singh Ryu

SENCAW | AUTHOR
The XML Signature specification allows for HMAC truncation, which may allow a remote attacker to bypass authentication.
XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2104. However, the XMLDsig specification does not follow the RFC2104 recommendation to not allow truncation to less than half of the length of the hash output or less than 80 bits. When HMAC truncation is under the control of an attacker this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid.
This vulnerability can allow an attacker to bypass the authentication mechanism provided by the XML Signature specification.
Solution:
Apply an update
Please check with your vendor for available updates. Erratum E03 for the XMLDsig recommendation has been added, which specifies minimum values for HMAC truncation.
HMAC truncationThe XML Signature specification allows for HMAC truncation, which may allow a remote attacker to bypass authentication.
XML Signature Syntax and Processing (XMLDsig) is a W3C recommendation for providing integrity, message authentication, and/or signer authentication services for data. XMLDsig is commonly used by web services such as SOAP. The XMLDsig recommendation includes support for HMAC truncation, as specified in RFC2104. However, the XMLDsig specification does not follow the RFC2104 recommendation to not allow truncation to less than half of the length of the hash output or less than 80 bits. When HMAC truncation is under the control of an attacker this can result in an effective authentication bypass. For example, by specifying an HMACOutputLength of 1, only one bit of the signature is verified. This can allow an attacker to forge an XML signature that will be accepted as valid.
This vulnerability can allow an attacker to bypass the authentication mechanism provided by the XML Signature specification.
Solution:
Apply an update
Please check with your vendor for available updates. Erratum E03 for the XMLDsig recommendation has been added, which specifies minimum values for HMAC truncation.

Simple Perl Sniffer

Jul 30th, 2009
by admin.
No comments yet

    Here’s a simple example of a script that sniffs an ethernet line for all TCP/IP packets bound to/from a particular host and dumps out the source/destination IP address/port and a hex dump of the packet’s contents:

perl snifferHere’s a simple example of a script that sniffs an Ethernet line for all TCP/IP packets bound to/from a particular host and dumps out the source/destination IP address/port and a hex dump of the packet’s.

#!/usr/bin/perl -w
use strict;
use Net::PcapUtils;
use NetPacket::Ethernet;
use NetPacket::IP;
use NetPacket::TCP;
use Data::HexDump;
Net::PcapUtils::loop(\&process_pkt, FILTER => 'ip host 192.168.1.252')
+;
my $i=0;
sub process_pkt {
  my ($user_data,$hdr,$pkt)=@_;
  my $eth=NetPacket::Ethernet->decode($pkt);
  if($eth->{type} == 2048){
    my $ip=NetPacket::IP->decode($eth->{data});
    if($ip->{proto} == 6){
      my $tcp=NetPacket::TCP->decode($ip->{data});
      print "\n\n$i $ip->{src_ip}($tcp->{src_port}) -> $ip->{dest_ip}(
+$tcp->{dest_port})\n";
      print HexDump $ip->{data};
      $i++;
    }
  }
}

Web Application Vulnerability and Error Scanner (WAVES)

Jul 30th, 2009
by admin.
No comments yet
simple-pearl-snifferABSTRACT by Chung-Hung Tsai
Department of Computer Science and Information Engineering,
National Chiao Tung University As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security. More
ABSTRACT by Chung-Hung Tsai
Department of Computer Science and Information Engineering, National Chiao Tung Universityapplication_vulnerability
As a large and complex application platform, the World Wide Web is capable of delivering a broad range of sophisticated applications. However, many Web applications go through rapid development phases with extremely short turnaround time, making it difficult to eliminate vulnerabilities. Here we analyze the design of Web application security assessment mechanisms in order to identify poor coding practices that render Web applications vulnerable to attacks such as SQL injection and cross-site scripting. We describe the use of a number of software-testing techniques (including dynamic analysis, black-box testing, fault injection, and behavior monitoring), and suggest mechanisms for applying these techniques to Web applications. Real-world situations are used to test a tool we named the Web Application Vulnerability and Error Scanner (WAVES, an open-source project available at http://waves.sourceforge.net) and to compare it with other tools. Our results show that WAVES is a feasible platform for assessing Web application security.  More

Federal Information Security Management Act (FISMA)

Jul 30th, 2009
by admin.
No comments yet
NIST

NIST

The National Institute of Standards and Technology (NIST) developed this document in furtherance of its statutory responsibilities under the Federal Information Security Management Act (FISMA) of 2002, Public Law 107-347.

NIST is responsible for developing standards and guidelines, including minimum requirements, for providing adequate information security for all agency operations and assets, but such standards and guidelines shall not apply to national security systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130, Section 8b(3), “Securing Agency Information Systems”, as analyzed in A-130, Appendix IV: Analysis of Key Sections. Supplemental information is provided in A-130, Appendix III.
This guideline has been prepared for use by Federal agencies. It may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright, though attribution is desired. Nothing in this document should be taken to contradict standards and guidelines made mandatory and binding on Federal agencies by the Secretary of Commerce under statutory authority, nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, Director of the OMB, or any other Federal official. More