Monday, October 18, 2010

httpry: Packet sniffer

httpry is a tool specialized for the analysis of web traffic. The tool itself can be used to capture traffic (httpry -o file) but other other tools are better suited for that such as tcpdump, Snort, Sguil. When it comes to finding out if certain types of files were downloaded via http, this tool does a super job. It can be used in combination with regular expressions (Regex) to find if a file, a script or a malware was downloaded from site or by a host and will ignore everything else. Whether the http traffic is using port 80, 443, 8080, etc, it will parse and display all the web traffic using this simple command
httpry is a specialized packet sniffer designed for displaying and logging HTTP traffic. It is not intended to perform analysis itself, but to capture, parse, and log the traffic for later analysis. It can be run in real-time displaying the traffic as it is parsed, or as a daemon process that logs to an output file. It is written to be as lightweight and flexible as possible, so that it can be easily adaptable to different applications.
What can you do with it? Here's a few ideas:
  • See what users on your network are requesting online
  • Check for proper server configuration (or improper, as the case may be)
  • Research patterns in HTTP usage
  • Watch for dangerous downloaded files
  • Verify the enforcement of HTTP policy on your network
  • Extract HTTP statistics out of saved capture files
  • It's just plain fun to watch in realtime
download link: click here

Saturday, October 2, 2010

XSS hack on Twitter

A security researcher from Indonesia had discovered a persistent XSS vulnerability also called script injection on twitter dot com. With this hack, a malicious individual could exploit user account or infect them with spyware, malware and adware..Soon this is been reported to twitter secuirity team and corrected..
This hack is majorly due to lack of input validation of the application name field when accepting new requests for Twitter applications. Visiting his account on Twitter results in a pair of classic cross site scripting alert boxes, then your browser is manipulated, finally you enter the matrix (see below), and get messages from the researcher who found the vulnerability.
this interesting paper walks you through the attack scenario in steps...
As demonstrated in the past, XSS vulnerabilities in Twitter have been successfully used to take over accounts and create worms (Mikeyy, StalkDaily). Infection (account takeover) can be accomplished simply by visiting a profile with an include of a malicious Javascript, making a true self propagating web site worm possible as opposed to other more recent attacks based on phishing a user’s credentials with a fake Twitter login screen.This might be Twitter’s first serious cross site scripting vulnerability since the beginning of this year. Twitter has to correct this quickly as it was public knowledge before this post, and has been for days.