Friday, September 28, 2012

Cross-Site Request Forgery against applications that use JSON RPC

Cross-site request forgery is common and well known web application vulnerability. Most of the time exploiting these vulnerabilities is relatively straightforward. You just need to set up a proper HTML form or even use a simple URL. Sometimes, however, things can get a little more complicated. One such example is when the targeted application is using JSON-RPC.

JSON-RPC is a simple mechanism for issuing a remote procedure call using JSON notation and HTTP. When issuing a JSON-RPC request browser will send a POST request to some URL and the body of the request will be a JSON encoded data, like this:

{"jsonrpc": "2.0", "method": "subtract", "params": [42, 23], "id": 1}

More on JSON-RPC can be found here

Now, the problem is how do you create a CSRF attack against an application that is expecting these kinds of POST requests. Using Ajax (XMLHttpRequest) will not help you since the browser will check for permission to do a cross-domain request (using OPTIONS request).

We at DefenseCode would like to share a little trick that we use in our penetration tests. You can use this trick to construct an HTML form that will force the browser to submit a proper JSON RPC request to the target application.

Problem with HTML forms is that input elements need to have a name, without a name, browser will not send the data even if you specify value of the element. To get around this you can set only the name of the input element without a value. For example:

<input name="test_name" />

Browser will send "test_name=" (without the quotes) to the server. Now, if you could set the name of the element to the body of the JSON-RPC request browser will send it. Since the body of the JSON request contains special characters you should put it inside an HTML using single quotes or you can use a little JavaScript, like this:


function modifyForm() {
    document.forms[0].elements[0].name = "{\"jsonrpc\": \"2.0\", \"method\": \"subtract\", \"params\": [42, 23], \"id\": 1}"; return true;
}
<form name="csrf_form" method="POST" action="https://example.com/rpchandler" onsubmit="modifyForm();">
    <input name="test" />
    <input type="submit" />
</form>


This form will cause the browser to send the JSON-RPC data in the body of the POST request to our target URL (with an equal sign on the end). Only one little problem remains. By default browser will urlencode the body and this will break the JSON-RPC parser. To get around that we can use the enctype="text/plain" attribute in the form. text/plain will cause the browser to skip urlencoding. It will only turn spaces into + signs, but luckily we don’t need spaces in JSON :) So, our form for attacking a JSON RPC web application will look like this:


function modifyForm() {
    document.forms[0].elements[0].name = "{\"jsonrpc\":\"2.0\",\"method\":\"subtract\",\"params\":[42,23],\"id\":1}";
    return true;
}
<form name="csrf_form" method="POST" action="https://example.com/rpchandler" enctype="text/plain" onsubmit="modifyForm();">
    <input name="test" />
    <input type="submit" />
</form>

Thursday, September 27, 2012

DefenseCode @ FSEC - FOI Security Symposium 2012


FSEC, Security Symposium (http://fsec.foi.hr) held at Varazdin's FOI was the only proper information security event held this year in Croatia where IT security specialists could gather and discuss the latest trends in information security.

DefenseCode experts attended the symposium to present and share their findings and expertise on topics connected to information security.

The first keynote was given by American cryptographer and computer security specialist Bruce Schneier. DefenseCode's CEO Leon Juranic held a presentation concerning security product development. Delivering from his own firsthand experience in security software development, Juranic covered the development process and its different phases in IT security context concentrating on crucial details that may make or break the project.

Leon also covered more technical aspects of security software development and presented new DefenseCode products including the ThunderScan source code analyzer and the DefenseCode Web Scanner intended for blackbox security audits.

You can download the presentation at the following link:
http://www.defensecode.com/public/DefenseCode_Security_Products_Development_Presentation.pdf

Sunday, September 23, 2012

A short insight into ADSL security

Recently, one of our security researchers has been working on a project related to ADSL security.
During his research with various ADSL routers, cameras, and other devices, he also created a simple program that will perform brief on-line test of ADSL device security.

Program (in fact, a script) will try to connect to your ADSL modem and perform two security checks:
1. It will try to determine if remote administration interface is enabled
2. It will also try to login with default password

If these two checks return positive results it means that your ADSL modem is not properly configured, and it is wide-open to hacking attacks.

Check how secure is your ADSL router...
Script is available here:
http://www.defensecode.com/cgi-bin/adsl-security-check.cgi

Regards,
Leon Juranic
CEO

Thursday, September 13, 2012

Welcome!!!


Dear visitor, hello and welcome to our blog :)

DefenseCode is an IT start-up focusing on information security. Our goal is to develop products to
automatize detection of vulnerabilities in web application code and to provide information security
services to a wide variety of internet businesses.

We are a relatively young company made up of seasoned IT/information security professionals
interested in anything and everything even remotely related to information security.

This is why we started this blog. Here we will analyze, comment and share developments from all
branches of information security business. We're going to write about computer security, security
research, web application security, penetration testing and broader general topics.

To begin with, web application security is widely underappreciated aspect of information security.
Where companies spend millions of dollars securing their information infrastructure from malicious
programs, spending lots of money and man power perfecting their firewalls, hardening their
communications, analyzing routers and demilitarized zones, often enough they spend zero time on
the one thing that remains open to the Internet – their web applications, usually connected to the
databases containing data vital to their businesses.

This is where we fit in – and we're going to share our experiences and the knowledge we gained from working in the field that helped us shape and implement our products. We are going to talk about safe programming practices, and why they are often neglected or misunderstood.

While there are many different kinds of vulnerabilities in modern web application code, there are
some that are more prominent than others. By exposing these often found errors in code that leave
your system vulnerable, we hope to demonstrate DefenseCode software abilities and provide you
with explanation why these vulnerabilities occur and how to avoid or mitigate them in the future.

This blogspace will hopefully provide you with insight and accurate advice information security wise. We are always available for consultation and advice, so feel free to contact us here or through our website.

Kind Regards,
Leon Juranic
CEO