Thursday, May 26, 2011

Double Encoding

Description:  This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the webserver accepts and processes client requests in many encoded forms.
By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don't have the corresponding security checks in place.
Attackers can inject double encoding in pathnames or query strings to bypass the authentication schema and security filters in use by the web application.
There are some common characters sets that are used in Web applications attacks. For example, Path Traversal attacks use “../” (dot-dot-slash) , while XSS attacks use “<” and “>” characters. These characters give a hexadecimal representation that differs from normal data.
For example, “../” (dot-dot-slash) characters represent %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The result from the double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:
  • The hexadecimal encoding of “../” represents "%2E%2E%2f"
  • Then encoding the “%” represents "%25"
  • Double encoding of “../” represents "%252E%252E%252F"

Sunday, May 22, 2011

Myths about SSL Certificates


I saw this article in HTTP watch blog post and being working in SSL procurement and consulting space i am sure to say that SSL is still a mystery ground for lot of people. When it comes to SSL Myths comes to effect than facts..some of their Myths are

Myth #1 – My Site Only Needs HTTPS for the Login Page

This is a commonly held view. The theory being that HTTPS will protect the user’s password during login but HTTPS is not needed after that.
The recently released Firesheep add-on for Firefoxdemonstrated the fallacy of this approach and how easy it is to hi-jack someone’s else session on sites like Twitter and Facebook.
The free public WiFi in a coffee shop is an ideal environment for session hi-jacking because:
  • The WiFi network doesn’t normally use encryption so it’s very easy to monitor all traffic
  • The WiFi network probably uses NAT through a single IP address to access the internet. This means that a highjacked session appears to come from the same network address as the original login

Myth #2 – Anything can go in Cookies and Query Strings with HTTPS

Myth #3 – Each HTTPS Site Needs its Own Public IP Address

Myth #4 – SSL Certificates are Expensive

If you shop around you can find SSL certificates for about $ 10 a year or roughly the same cost as the registration of a .com domain for a year.

Myth #5 – HTTPS Never Caches

People often claim that HTTPS content is never cached by the browser; perhaps because that seems like a sensible idea in terms of security. In reality, HTTPS caching is controllable with response headers just like HTTP.

Myth #6 – New SSL Certificates Have to be Purchased When Moving Servers or Running Multiple Servers

Saturday, May 21, 2011

Double Encoding

Description:  This attack technique consists of encoding user request parameters twice in hexadecimal format in order to bypass security controls or cause unexpected behavior from the application. It's possible because the webserver accepts and processes client requests in many encoded forms.
By using double encoding it’s possible to bypass security filters that only decode user input once. The second decoding process is executed by the backend platform or modules that properly handle encoded data, but don't have the corresponding security checks in place.
Attackers can inject double encoding in pathnames or query strings to bypass the authentication schema and security filters in use by the web application.
There are some common characters sets that are used in Web applications attacks. For example, Path Traversal attacks use “../” (dot-dot-slash) , while XSS attacks use “<” and “>” characters. These characters give a hexadecimal representation that differs from normal data.
For example, “../” (dot-dot-slash) characters represent %2E%2E%2f in hexadecimal representation. When the % symbol is encoded again, its representation in hexadecimal code is %25. The result from the double encoding process ”../”(dot-dot-slash) would be %252E%252E%252F:
  • The hexadecimal encoding of “../” represents "%2E%2E%2f"
  • Then encoding the “%” represents "%25"
  • Double encoding of “../” represents "%252E%252E%252F"