Sep 30 2009

Reddit Hit by XSS Worm

Reddit (reddit.com) is a social news website, and it’s much better than Digg or Slashdot. However, it got hit today by a XSS worm that was spreading via comments on the site.

It all started with a user called, suitably enough, xssfinder. His account has already been deleted. This user posted some test comments exploiting the fact that Reddit wasn’t filtering out JavaScript in certain instances when you were hovering your mouse over text.

When xssfinder got his script working, he tested it by posting one comment to a popular link called “Guy on a bike in New York ‘high fives’ people hailing cabs”.

Reddit XSS Attack

After this, things happened quickly.

People reading comments ended up sending massive amounts of new comments to Reddit threads.

Right now things have calmed down. Reddit was never down, and Reddit administrators have closed this vulnerability. Malicious comments are being mass deleted right now.

Source: F-Secure Weblog

Sep 18 2009

“Chat-in-the-Middle” Phishing Attack via Bogus Live-Chat Support

A new, unique type of phishing attack targeted against online banking customers was recently discovered by the RSA FraudAction Research Lab. RSA has coined this as a “Chat-in-the-Middle” phishing attack and it is first executed through routine means but then presents a more advanced layer of perpetrating online fraud. The phishing attack may dupe bank customers into entering their usernames and passwords into an ordinary phishing site but the addition of a bogus live chat support window can obtain even more credentials via a live chat session initiated by fraudsters.

During the live chat session, the fraudster behind the attack presents himself as a representative of the bank’s fraud department and attempts to dupe customers who are online into divulging sensitive information – such as answers to secret questions that are used for online customer authentication. This attack is currently targeting a single U.S.-based financial institution.

Upon detecting the attack RSA immediately informed the affected financial institution and commenced a standard phishing attack shut-down procedure through the RSA Anti-Fraud Command Center and its RSA FraudAction service. (RSA cannot identify this bank in order to protect its security and privacy.) The attack is hosted on a well-known fast flux network for “hire” from fraudster to fraudster, which hosts a wealth of malicious websites such as phishing attacks, Trojans infection points, mule recruitment websites, and more.

Source: RSA FraudAction Research Lab

Sep 10 2009

Haraldscan – Bluetooth discovery scanner

The scanner will be able to determine Major and Minor device class of device, as well as attempt to resolve the device’s MAC address to the largest known Bluetooth MAC address Vendor list.

The goal of this project is to obtain as many MAC addresses mapped to device vendors as possible.

Haraldscan

Requirements:

  • Python 2.6
  • Pybluez
  • PySQLite

Installation:

  • Unpack to a directory
  • Run python haraldscan -b to build database
  • python haradscan [Options] to run Harald Scan

Download: haraldscan-0.3

Sep 05 2009

How I cross-site scripted Twitter in 15 minutes

How I cross-site scripted Twitter in 15 minutes, and why you shouldn’t store important data on 37signals’ applications
“Today the Ruby on Rails security team released a patch for a cross-site scripting issue which affected multiple high-profile applications, including Twitter and Basecamp. If you’re concerned about the issue and would like to see the patch, please read the advisory from the Rails security team. In this post, I discuss the overall process of finding the issue, and the reason why I’d suggest that no important information be stored on the 37signals applications (Basecamp, Highrise, Backpack, and Campfire).

After seeing a bug in Unicode handling in an unrelated program a few weeks ago, I suddenly had an idea: “I wonder if there are any web applications which have Unicode handling problems that might be security issues?”

My attention quickly turned to Twitter, the only web application I had open at that moment. A few minutes later, I had JavaScript from a URL query parameter falling through the escaping routines and running in the main body of twitter.com. Bingo! Cross-site scripting, the stuff that Twitter worms are made of. But was this a Twitter-specific issue, or did it affect other sites too?”
- Brian Mastenbrook

Source: Brian Mastenbrook

Sep 05 2009

mysqloit – SQL Injection Takeover Tool

MySqloit is a SQL Injection takeover tool focused on LAMP (Linux, Apache,MySql,PHP) and WAMP (Linux, Apache,MySql,PHP) platforms. It has the ability to upload and execute metasploit shellcodes through the MySql SQL Injection vulnerabilities.

Attackers performing SQL injection on a MySQL-PHP platform must deal with several limitations and constraints. For example, the lack of multiple statements in one query makes MySQL an unpopular platform for remote code execution, compared to other platforms. This tool is written to demostrate how remote code execution can be performed on a database connector that do not support stack queries.

Platform supported: Linux

Key Features:

  • SQL Injection detection using time based injection method
  • Database fingerprint
  • Web server directory fingerprint
  • Payload creation and execution

Download: MySqloitv0.1