Sunday, January 23, 2011

Argument Injection or Modification

Description: Argument Injection or Modification is a type of Injection attack. Modifying or injecting data as an argument may lead to very similar, often the same, results as in other injection attacks. It makes no difference if the attacker wants to inject the system command into arguments or into any other part of the code.

Example: Knowing pseudo code of the application, the attacker may guess what action is required by the application to perform another one, for example, what must be done to authorize the attacker as the administrator.
Reading the code below the attacker doesn't know the values of $pass and $login. The question is - is there possibility of altering value of $authorized not knowing previously mentioned variables?

if($pass = "XXX" and $login = "XXX") { $authorized = 1; }
if($authorized == 1) { admin_panel(); }
If server configuration allows for that, we may try to pass argument $authorized=1 as input data to application.
E.g. /index.php?user=&pass=&authorized=1

Tuesday, January 18, 2011

Spam Message: Well crafted Spam messages

Every day i get around fair amount of Spam in my inbox. Needless to say Gmail inbox blocks many spams  on its own than Yahoo's. Though i tend to delete it straight away or "mark as Spam", sometimes i tend to look at the way the spammer crafted the message and how much effort he put in to lure someone to click the link. The more new anti spam engines put in place, the more newer and more cleaver spams do reaches the inbox. Here is one such which made me to think as legitimate in the first instance and then only by looking at the logic i realised it as another crafted spam...
Cool spam video from Youtube:
Examples of Typical Spam Mail
Business Opportunity Scams -- Most of these scams promise a lot of income for a small investment of time and money. Some are actually old fashioned pyramid schemes camouflaged to look like something else. Consumers should be careful of money-making schemes that sound too good to be true. They usually are.
Making Money By Sending Bulk E-Mailings -- These schemes claim that you can make money sending your own solicitations via bulk e-mail. They offer to sell you lists of e-mail addresses or software to allow you to make the mailings. What they don’t mention is that the lists are of poor quality; sending bulk e-mail violates the terms of service of most Internet service providers; virtually no legitimate businesses engage in bulk e-mailings; and several states have laws regulating the sending of bulk e-mail.
Chain Letters -- These electronic versions of the old fashioned chain letters usually arrive with claims like, "You are about to make $50,000 in less than 90 days!" But you don’t, and these electronic chain letters are every bit as illegal as the old fashioned paper versions.
Work-At-Home Schemes -- E-mail messages offer the chance to earn money in the comfort of your own home. Two popular versions pitch envelope stuffing and craft assembly. But nobody will really pay you for stuffing envelopes and craft assembly promoters usually refuse to buy the crafts claiming the work does not meet their "quality standards."
Health And Diet Scams -- These offer "scientific breakthroughs," "miraculous cures," "exclusive products," "secret formulas," and "ancient ingredients." Some come with testimonials from "cured" consumers or endorsements from "famous medical experts" no one’s ever heard of. These bogus cure-alls are just electronic snake oil.
Easy Money -- Offers such as "Learn how to make $4,000 in one day," or "Make unlimited profits exchanging money on world currency markets," appeal to the desire to "Get-Rich-Quick." If making money was that easy, we’d all be millionaires.
Get Something Free -- The lure of valuable, free items -- like computers or long-distance phone cards -- gets consumers to pay membership fees to sign up with these scams. After they pay the fee, consumers learn that they don’t qualify for the "free" gift until they recruit other "members." These scams are just low down, high tech pyramid schemes.
Investment Opportunities -- These scams may tout outrageously high rates of return with no risk. Glib, resourceful promoters suggest they have high-level financial connections; that they’re privy to inside information; or that they guarantee the investment. To close the deal, they may serve up phony statistics, misrepresent the significance of a current event or stress the unique quality of their offering. But they are not unique. They’re just like the other scams.
Cable Descrambler Kits -- For a small initial investment you can buy a cable descrambler kit so you can receive cable without paying the subscription fees. There are two small problems with these schemes, the kits usually don’t work and stealing cable service is illegal.
Guaranteed Loans or Credit, On Easy Terms -- Some offer home-equity loans, even if you don’t have any equity in your home. Others offer guaranteed, unsecured credit cards, regardless of your credit history. The "loans" turn out to be lists of lending institutions and the credit cards never arrive.
Credit Repair Scams -- These scams target consumers with poor credit records. For an up-front fee, they offer to clear up a bad credit record -- for a fee -- or give you a completely clean credit slate by showing you how to get an Employer Identification Number. No one can erase a bad credit record if it’s accurate and using an Employer Identification Number to set up a new credit identity is against the law.
Vacation Prize Promotions -- Like their snail mail counterparts, these e-mail "Prize Promotions" tell consumers they’ve been selected to receive a "luxury" vacation at a bargain-basement price. But the accommodations aren’t deluxe and upgrades are expensive.
Intersted in knowing more facts about spam and its statistics, here it is...
Spam Statistics: Weekly Spam statistics
Malware Statistics: Weekly Malware Statistics
Bot-net Statistics: Weekly Bot-net statistics
and More accurate every day stats here...

Tuesday, January 11, 2011

MAC - Google CHROME - SMH dont seem to go well

Google Chrome: Browser which i always use for my every day browsing and thats mainly for its speed. Couple of weeks before when i was browsing the internet with several web pages open i found this interesting scenario when my facebook friends photo were appearing in Sydney Morning Herald web page.
i initially thought a friend became a celebrity to have his pic in front page of, but then scrolling down the page revealed many of my Facebook friends photo appearing  in the Sydney Morning Herald page in a professional way. Find few of the screenshots
All the arrows marked shows the pic of the FB users from my friend list. Guessing this must be a bug out in google chrome in the way its cache's the page. Drilling through the source code, i am unable to find the correct reason behind but planning to use a burp proxy to check on this could give me something interesting. But meanwhile do anyone came across anything similar or any suggestions on what could have happened???

Account Lock out attack

Description: In an account lockout attack, the attacker attempts to lock out all user accounts, typically by failing login more times than the threshold defined by the authentication system. For example, if users are locked out of their accounts after three failed login attempts, an attacker can lock out their account for them simply by failing login three times. This attack can result in a large scale denial of service attack if all user accounts are locked out, especially if the amount of work required to reset the accounts is significant.

Example: Account lockout attacks are used to exploit authentication systems that are susceptible to denial of service. A famous example of this type of attack is eBay's. eBay used to display the user id of the highest bidder (in the meantime they changed their way of working). In the final minutes of the auction, one of the bidders could try to log in as the highest bidder three times. After three incorrect log in attempts, eBay password throttling would kick in and lock out the highest bidder's account for some time. An attacker could then make their own bid and their victim would not have a chance to place a counter bid because they would be locked out. Thus an attacker could win the auction.