Whitson Gordon — Windows only: If you stumble upon unwanted Windows programs, you usually have to head all the way to the Control Panel to remove it. MenuUninstaller adds an “Uninstall” option to the Windows context menu so you can remove programs right from their shortcuts.

While you probably make occasional sweeps through the Add/Remove Programs dialog, it’s more likely that you discover unwanted programs when you’re scrolling through the Start Menu, and rarely do you want to go all the way to the Control Panel just to remove a program. MenuUninstaller adds a simple “Uninstall” option to the context menu for any shortcut on your computer, letting you uninstall a program from nearly anywhere. Just install MenuUninstaller and start removing programs—it’s as simple as that.

I’ve found there were one or two programs it didn’t work on, but most of the time if it doesn’t work it’ll just open up the Add/Remove Programs window for you, thus still cutting down on the number of clicks you’d need to remove a program. Usually, though, once you hit Uninstall in the context menu it’ll take you straight to that program’s dedicated uninstaller.

MenuUninstaller is a free download for Windows only.

Using Cookies For Selective DoS and State Detection: “

28 posts left….

This is a continuation of he first post where we described how you can use cookies to DoS certain portions of the website. After our speech one of the Mozilla guys came up to us and described another attack that arises from this. Let’s say when a user logs in it sets a cookie that is 200 bytes long, and when they log out it re-sets the same cookie to 50 bytes. Well if the attacker can set a cookie with a particular path to a single image on the site, for instance, they can use JavaScript to check with an onerror event handler to see if the image has loaded.

By combining the over-long cookie (minus 50 bytes) a logged in state will cause the image to fail to load, where as a logged out state will allow the image to load just fine. In this way an attacker can tell cookie states as long as the cookies are variable width and there aren’t other cookies muddying the waters. Interesting attack, I thought!

“

(Via ha.ckers.org web application security lab.)

Using Cookies For Selective DoS: “

29 posts left…

One of the things Josh Sokol and I talked about in our presentation at Blackhat was a way to use over-sized cookies to cause a DoS on the site. The web server sees the overlong cookie and stops the request from completing. This is not new and has certainly been discussed before. However, one thing that wasn’t discussed is that using the path an attacker can selectively cause the website to stop displaying portions of the site. For instance, if the attacker wants to shut down /javascript/ or /logout.aspx or /reportabuse.aspx or whatever, they can by setting an overly-long cookie for that particular path.

Setting cookies on the target sub domain would require something like header injection/Response splitting, XSS, or a MitM attack. It should be noted though that it doesn’t have to be on the target sub domain – it can be an exploit in another sub domain because cookies don’t follow the same origin policy if the cookie is scoped to the parent domain. In this way an attacker could turn off Clickjacking prevention code (deframing scripts), or turn off other client side protections or parts of the site that are bad from an attacker’s perspective. The only real solution to this is for all browsers to start making the absolute maximum size of cookies smaller than the smallest that web servers will allow (Apache was smaller than IIS by default for instance).

“

(Via ha.ckers.org web application security lab.)

Google Dork:
inurl:”id=” & intext:”Warning: mysql_fetch_assoc()
inurl:”id=” & intext:”Warning: mysql_fetch_array()
inurl:”id=” & intext:”Warning: mysql_num_rows()
inurl:”id=” & intext:”Warning: session_start()
inurl:”id=” & intext:”Warning: getimagesize()
inurl:”id=” & intext:”Warning: is_writable()
inurl:”id=” & intext:”Warning: getimagesize()
inurl:”id=” & intext:”Warning: Unknown()
inurl:”id=” & intext:”Warning: session_start()
inurl:”id=” & intext:”Warning: mysql_result()
inurl:”id=” & intext:”Warning: pg_exec()
inurl:”id=” & intext:”Warning: mysql_result()
inurl:”id=” & intext:”Warning: mysql_num_rows()
inurl:”id=” & intext:”Warning: mysql_query()
inurl:”id=” & intext:”Warning: array_merge()
inurl:”id=” & intext:”Warning: preg_match()
inurl:”id=” & intext:”Warning: ilesize()
inurl:”id=” & intext:”Warning: filesize()
inurl:”id=” & intext:”Warning: require()

Thanks:Prens
Download: Video + tool
blind_sql.rar

http://rapidshare.com/files/312860013/blind_sql.rar

Since we talk about hacking, how about a little desktop/networking hack – how cool is to have your LEDs on keyboards to blink as you transfer data on network Try Network Lights and let us know. Windows Only.

What can you do with a pressure-sensitive keyboard? That’s what Microsoft asked 40 teams. SafeLock’s one answer: It doesn’t just know your password, but how you type it, biometrically authenticating you without creepier probes.

Having a bootable USB key is handy to have in your gear. A number of times in the past I have needed a bootable thumb drive but didn’t have time to get myself one. I needed this when I bought my first netbook, Lenovo S10. Netbooks normally do not have an optical drive and in most cases, the best cheaper option you have is by using a bootable USB drive.

You can create one with Windows 7 and below are the steps:

1. Go to your Windows 7 orb button of the left bottom side of the screen.

2. Click on the orb button

3. On the find text box, type “cmd”

4. The command prompt should appear in the search results

5. Right-click and run as administrator

6. On the command prompt type “diskpart”

7. Type in “list disk” after to start the Microsoft disk management utility

8. On the list show, make sure you write down the USBs key number you want to make bootable. Pick this out by looking at the disk space and make sure you have the thumb drive inserted.

9. Type “select disk [USB key number]”. Replace “[USB key number]”

10. Type “clean” to clean the disk, DiskPart needs your confirmation for this.

11. Enter “create partition primary” for a new partition disk

12. Type “select partition 1”, and make it active by typing “active”.

13. Format the key by typing “format fs=fat32”. Wait until this is completed.

14. Finally, type “assign” to assign this USB key a drive letter.

15. Type “exit”

Denial of Service (DoS) and distributed Denial of Service (DDoS) attacks involve an attempt to make a computer resource unavailable to its intended users. This may simply be for malicious purposes as is often the case when big commercial or famous web sites undergo a DDoS attack. However, it is also possible to exploit the system’s response to such an attack to break system firewalls, access virtual private networks, and to access other private resources. A DoS attack can also be used to affect a complete network or even a whole section of the Internet.

Commonly, attack involves simply saturating the target machine with external internet requests. In the case of a DDoS attack the perpetrator recruits other unwitting computers into a network and uses a multitude of machines to mount the attack. The result is that the resource, whether it is a website, an email server, or a database, cannot respond to legitimate traffic in a timely manner and so essentially becomes unavailable to users.

Methods for configuring a network to filter out known DoS attack software and to recognize some of the traffic patterns associated with a mounting DoS attack are available. However, current filters usually rely on the computer being attacked to check whether or not incoming information requests are legitimate or not. This consumes its resources and in the case of a massive DDoS can compound the problem.

Now, computer engineers John Wu, Tong Liu, Andy Huang, and David Irwin of Auburn University have devised a filter to protect systems against DoS attacks that circumvents this problem by developing a new passive protocol that must be in place at each end of the connection: user and resource.

Their protocol – Identity-Based Privacy-Protected Access Control Filter (IPACF) – blocks threats to the gatekeeping computers, the Authentication Servers (AS), and so allows legitimate users with valid passwords to access private resources.

The user’s computer has to present a filter value for the server to do a quick check. The filter value is a one-time secret that needs to be presented with the pseudo ID. The pseudo ID is also one-time use. Attackers cannot forge either of these values correctly and so attack packets are filtered out.

One potential drawback of the added layer of information transfer required for checking user requests is that it could add to the resources needed by the server. However, the researchers have tested how well IPACF copes in the face of a massive DDoS attacks simulated on a network consisting of 1000 nodes with 10 gigabits per second bandwidth. They found that the server suffers little degradation, negligible added information transfer delay (latency) and minimal extra processor usage even when the 10 Gbps pipe to the authentication server is filled with DoS packets. Indeed, the IPACF takes just 6 nanoseconds to reject a non-legitimate information packet associated with the DoS attack.

The Top 10 Web Application security vulnerabilities

This and the next series of blog entries will highlight the Top 10 most critical web application security vulnerabilities identified by the Open Web Application Security Project (OWASP).

You can use OWASP’s WebGoat to learn more about the OWASP Top Ten security vulnerabilties. WebGoat is an example web application, which has lessons showing “what not to do code”, how to exploit the code, and corrected code for each vulnerability.

You can use the OWASP Enterprise Security API Toolkit to protect against the OWASP Top Ten security vulnerabilties.

The ESAPI Swingset is a web application which demonstrates the many uses of the Enterprise Security API.

OWASP Top 10 number 1: XSS = Cross Site Scripting

Cross Site Scripting (XSS) is one of the most common security problems in today’s web applications. According to the SANS Top Cyber Security Risks, 60% of the total attack attempts observed on the Internet are against Web applications and SQL injection and Cross-Site Scripting account for more than 80% of the vulnerabilities being discovered. You are at risk of an XSS attack any time you put content that could contain scripts from someone un-trusted into your web pages.
There are 3 types of cross site scripting:

• Reflected XSS: is when an html page reflects user input data, e.g. from HTTP query parameters or a HTML form, back to the browser, without properly sanitizing the response. Below is an example of this in a servlet:

 out.writeln(“You searched for: “+request.getParameter(“query”);

• Stored XSS: is when an Attacker’s input script is stored on the server (eg a database) and later displayed in the web server html pages, without proper HTML filtering. Examples of this are in blogs, or forums where users can input data that will be displayed to others. Below is an example of this in a servlet data is retrieved from the database and returned in the HTML page without any validation:

out.writeln("<tr><td>" + guest.name + "<td>" + guest.comment);

• DOM XSS: is when JavaScript uses input data or data from the server to write dynamic HTML (DOM) elements, again without HTML sanitizing/escaping/filtering.

XSS can be used to:

• deface web pages
• hijack user sessions
• conduct phishing attacks
• execute malicious code in the context of the user’s session
• spread malware

Protecting against XSS

To protect against XSS all the parameters in the application should be validated and/or encoded before being output in HTML pages.

• Always validate on the server side for data integrity and security:
  • Validate all input data to the application:
  • Validate for type, format, length, range, and context before storing or displaying
  • Use white-listing (what is allowed), reject if invalid, instead of filtering out black-list (what is not allowed)
• Output encoding:
  • Explicitly set character encoding for all web pages (ISO-8859-1 or UTF 8):
    <%@ page contentType=”text/html;charset=ISO-8859-1″ language=”java” %>
  • all user supplied data should be HTML or XML entity encoded before rendering

Java specific Protecting against XSS

Validating Input with Java

• You can use Java regular expressions to validate input, this example from WebGoat allows whitespace, a-zA-Z_0-9, and the characters – and ,

String regex = "[\s\w-,]*";
Pattern pattern = Pattern.compile(regex);
validate(stringToValidate, pattern);

• Use Framework (Struts, JSF, Spring…) validators. With Java EE 6 you can use the Bean Validation Framework to centrally define validation constraints on model objects and with JSF 2.0 to extend model validation to the UI. For example here is a JSF 2.0 input field:

<h:inputText id="creditCard" value="#{booking.creditCardNumber}"/>

• Here is the JSF 2.0 booking Managed Bean using the Bean Validation Framework :

@ManagedBean
public class Booking {
 ...
 @NotNull(message = "Credit card number is required")
 @Size(min = 16, max = 16,
 message = "Credit card number must 16 digits long")
 @Pattern(regexp = "^\d*$",
 message = "Credit card number must be numeric")
 public String getCreditCardNumber() {
 return creditCardNumber;
 }
}

• In addition there are new JSF 2.0 Validators:
  • <f:validateBean> is a validator that delegates the validation of the local value to the Bean Validation API.
  • <f:validateRequired> provides required field validation.
  • <f:validateRegexp> provides regular expression-based validation
• Use the OWASP Enterprise Security API Java Toolkit’s Validator interface:

ESAPI.validator().getValidInput(String context,String input,String type,int maxLength,
   boolean allowNull,ValidationErrorList errorList)

• ESAPI.validator().getValidInput() returns canonicalized and validated input as a String. Invalid input will generate a descriptive ValidationErrorList, and input that is clearly an attack will generate a descriptive IntrusionException.

Output Encoding with Java

• You can use Struts output mechanisms such as <bean:write… >, or use the default JSTLescapeXML=”true” attribute in <c:out … >
• You can use the OWASP Enterprise Security API Java Toolkit’s ESAPI Encoder.encodeForHTML()method to encode data for use in HTML content. The encodeForHTML() method uses a “whitelist” HTML entity encoding algorithm to ensure that encoded data can not be interpreted as script. This call should be used to wrap any user input being rendered in HTML element content. For example:

Recently I was doing a little work for a client who has MyISAM tables with many columns (the same one Peter wrote about recently). The client’s performance is suffering in part because of the number of columns, which is over 200. The queries are generally pretty simple (sums of columns), but they’re ad-hoc (can access any columns) and it seems tailor-made for a column-oriented database.

I decided it was time to actually give Infobright a try. They have an open-source community edition, which is crippled but not enough to matter for this test. The “Knowledge Grid” architecture seems ideal for the types of queries the client runs. But hey, why not also try MonetDB, another open-source column-oriented database I’ve been meaning to take a look at?

What follows is not a realistic benchmark, it’s not scientific, it’s just some quick and dirty tinkering. I threw up an Ubuntu 9.04 small server on Amazon. (I used this version because there’s a .deb of MonetDB for it). I created a table with 200 integer columns and loaded it with random numbers between 0 and 10000. Initially I wanted to try with 4 million rows, but I had trouble with MonetDB — there was not enough memory for this. I didn’t do anything fancy with the Amazon server — I didn’t fill up the /mnt disk to claim the bits, for example. I used default tuning, out of the box, for all three databases.

The first thing I tried doing was loading the data with SQL statements. I wanted to see how fast MyISAM vs. MonetDB would interpret really large INSERT statements, the kind produced by mysqldump. But MonetDB choked and told me the number of columns mismatched. I found reference to this on the mailing list, and skipped that. I used LOAD DATA INFILE instead (MonetDB’s version of that is COPY INTO). This is the only way to get data into Infobright, anyway.

The tests

I loaded 1 million rows into the table. Here’s a graph of the times (smaller is better):

MyISAM took 88 seconds, MonetDB took 200, and Infobright took 486. Here’s the size of the resulting table on disk (smaller is better):

MyISAM is 787MB, MonetDB is 791MB, and Infobright is 317MB. Next I ran three queries:

Graphs of query performance time for all three databases are really not very helpful, because MyISAM is so much slower that you can’t see the graphs for the others. So I’ll give the numbers and then omit MyISAM from the graphs. Here are the numbers for everything I measured:

And here is a graph of Infobright duking it out with MonetDB on the three queries I tested (shorter bar is better):

I ran each query a few times, discarded the first run, and averaged the next three together.

Notes on Infobright

A few miscellaneous notes: don’t forget that Infobright is not just a storage engine plugged into MySQL. It’s a complete server with a different optimizer, etc. This point was hammered home during the LOAD DATA INFILE, when I looked to see what was taking so long (I was tempted to use oprofile and see if there are sleep() statements). What did I see in ‘top’ but a program called bhloader. This bhloader program was the only thing doing anything; mysqld wasn’t doing a thing. LOAD DATA INFILE in Infobright isn’t what it seems to be. Otherwise, Infobright behaved about as I expected it to; it seemed pretty normal to a MySQL guy.

Notes on MonetDB

MonetDB was a bit different. I had to be a bit resourceful to get everything going. The documentation was for an old version, and was pretty sparse. I had to go to the mailing lists to find the correct COPY syntax — it wasn’t that listed in the online manual. And there were funny things like a “merovingian” process (think “angel”) that had to be started before the server would start, and I had to destroy the demo database and recreate it before I could start it as shown in the tutorials.

MonetDB has some unexpected properties; it is not a regular RDBMS. Still, I’m quite impressed by it in some ways. For example, it seems quite nicely put together, and it’s not at all hard to learn.

It doesn’t really “speak SQL” — it speaks relational algebra, and the SQL is just a front-end to it. You can talk XQuery to it, too. I’m not sure if you can talk dirty to it, but you can sure talk nerdy to it: you can, should you choose to, give it instructions in MonetDB Assembly Language (MAL), the underlying language. An abstracted front-end is a great idea; MySQL abstracts the storage backend, but why not do both? Last I checked, Drizzle is going this direction, hurrah!

EXPLAIN is enlightening and frightening! You get to see the intermediate code from the compiler. The goggles, they do nothing!

From what I was able to learn about MonetDB in an hour, I believe it uses memory-mapped files to hold the data in-memory. If this is true, it explains why I couldn’t load 4 million rows into it (this was a 32-bit Amazon machine).

The SQL implementation is impressive. It’s a really solid subset of SQL:2003, much more than I expected. It even has CTEs, although not recursive ones. (No, there is no REPLACE, and there is no INSERT/ON DUPLICATE KEY UPDATE.) I didn’t try the XQuery interface.

Although I didn’t try it out, there are what looks like pretty useful instrumentation interfaces for profiling, debugging and the like. The query timer is in milliseconds (why doesn’t mysql show query times in microseconds? I had to resort to Perl + Time::HiRes for timing the Infobright queries).

I think it can be quite useful. However, I’m not quite sure it’s useful for “general-purpose” database use — there are a number of limitations (concurrency, for one) and it looks like it’s still fairly experimental.

via Quick comparison of MyISAM, Infobright, and MonetDB.