Over the last week I have been thinking about applications that could morph themselves based on some criteria.  Mostly, I have been thinking about this in respect to web applications which could change their layout automatically based on the user’s interaction with certain parts of the application or lack thereof.

Additionally, this week I have been doing a lot of research on web application security. Tonight the two topics merged.

What if an application could change itself in order to protect itself?  For instance, what if an application which accepts user input, submits the input via GET, and then displays the information could protect itself from being used in XSS phishing attacks even if it is vulnerable to XSS attacks?

Enter dynamic variables.  The code below is a quick POC I put together to decide if this would work. The outcome: Yes, it could work. The code below is vulnerable to XSS attacks, but the attacks would only be valid for 2 seconds because the variable changes and essentially expires.

I fully admit that if someone was going to go through this much trouble, they should just fix the bad code. I wanted to try this just as a POC and for purely research reasons.  There may be some value of implementing a more advanced version of this in a WAF, but again may not be worth it since there are other ways to address it.

Anyway, on to the code:

<?php

$var = date(dWYHis);

print “<html><form action=\”test.php\” method=\”GET\”> <input type=\”text\” name=\”$var\”> <input type=\”submit\” value=\”submit\”></form><br></html>”;

$datechk = date(dWYHis);

foreach ($_GET as $key => $value){
if ($key <= $datechk AND $datechk > $date-2){
echo “$value”;
}
}

?>

The first part reads in the the current date and time and sets this string as the name of a field in a html form.

Next once the form is submitted, the current date and time string is read into $datechk. The variables submitted are extracted and the variable names are compared to the current $datechk value to ensure the variable is not more than 2 seconds old. If the variable is equal to the current datetime string or is no more than 2 seconds old, then the variable is acceptable and the code moves on.

Obviously, the date-time string should not be relied upon alone.  It could be used if it is salted in some manner but the key is to have a repeatable process on both ends to ensure the data variable can be recreated and validated.

Sorry about the code formatting, the blog doesn’t do a great job of formatting code.

Hot off the presses by yours truly.

“The global IT outsourcing trend shows every sign of continuing, with two-thirds of the 2007 InformationWeek 500 tapping offshore outsourcing. With experience, companies get confident in moving ever-more-sensitive IT or business processing work abroad…[Read More]“

The great folks over at the PCI council have finally done something I agree with.  They have provided a clear and concise explanation of PCI 6.6.  Typically, their direction is unclear and left to the masses to decipher.

In the new PCI 6.6 supplement, the council has given more direction on how to meet the dreaded 6.6 (should be 6.6.6) before the June 30th deadline.  Originally, many thought 6.6 would require full code reviews or a web application firewall.  Then, based on comments from Bob Russo, it looked like a mix of reviews and scanning was in order.

Alas, we were all delighted to find out that the options for 6.6 are simple.

Option 1:

•  Code Review which is subdivided into 4 options:

• Manual code review of application source code
• Proper use of automated source code analyzer (scanning) tools
• Manual web application security vulnerability assessments
• Proper use of automated web application security vulnerability assessment (scanning)
  tools.

• WebApplication Firewall (WAF)

Now with that cleared, here is what I see.  All of the source code assessment tool companies and web application firewall companies are in a panic.  6.6 was their pay day, but now it appears we have an eaiser way to achieve this by running a web application scanner such as Webinspect.

While there is defiantly benefit in source code reviews and WAFs have their place, though disputed by many, performing a review with a scanner is much more cost effective.  At the end of the day, we are in business to make money and must make compromises between security and business. I think we have found that compromise for 6.6.

This weekend is toorcon Seattle. If you know, then you should be there. I, unfortunately, will not be going due to prior engagements (fancy for “I have plans”).

On a semi-related note, Microsoft’s BlueHat is the first week of May.  This means Limo races and other good fun.  Again, I did not plan properly and will have to skip the limo races but I will be around for the weekend fun.

• Budgeting | MBA Street
  (tags: budgeting savings mbastreet)
• Roth vs. Traditional IRA | MBA Street
  (tags: roth ira savings mbastreet)
• MBA Street | Where B-School and the real world intersect
  (tags: blog savings income invest mbastreet money)

This URL was sent over to me by a co-worker. Looks like Google is hosting a few presentations and video related to Web Security. Worth a review.

http://code.google.com/edu/security/index.html

Today I was investigating how a 3rd party site was streaming content from another site. The silly people tried to hide their JavaScript and HTML magic by “encrypting” the source using Encrypt HTML Pro – they also put a fake error in the source to deter me (Error 505: Source Code Unavailable).

With some JavaScript of my own, their code was reversed to human readable in no time. I figured how they were getting the stream and now that is being stopped.

The run down:

Encrypt HTML Pro basically creates two parts inside your document. First, a JavaScript block that is a hex encoded. This holds the function which performs the “decryption” so your browser can read the rest of the page.

Next, you have blocks (as many as you define when encrypting the code) of JavaScript code that is not readable. What tipped me off when looking at the obfuscated document was the fact that each block was JavaScript and calling the same function.

When I decoded the first block, I found the function the subsequent blocks were calling. I realized that the subsequent blocks were just pushing the obfuscated code through this function which then returned something the browser can read.

So I did the same thing. I had the function to decode everything so I just ran the subsequent blocks through the function and printed them to a local file.

I then found a few blocks of code that the author (or software) tried to use to hide more details. The author used the JavaScript function “String.fromCharCode” to encode strings they wanted to further hide. Using the JavaScript function “eval” and again printing to a text file, I got what I needed from those.

At the end, I figured out how they were getting the stream and I even thought of a better way to grab the stream and fully hide how it was being done. Oh well, luckily I work for the media company.

Silly programmers, hackers always win. +1 for corporate hackers.

P.S. Maybe now Billy Hoffman will give me some respect

Come work in the magical world of Walt Disney – Security Engineer.

Via Darren Herman’s blog I found an old post that pointed to TimeBridge. This is an idea I thought of a long time ago but wasn’t interested in purusing. I am glad someone did as scheduling meetings is a huge pain for me.

I even recall mentioning this to Darren on the phone back in late 2007. Too bad he didn’t give me a heads up about this.

Via the ReadWriteWeb blog I found out about a new startup, Tiinker. Tiinker is a news service where news is customized to your likes. They aggregate the news, you select if you like or dislike the type of content presented to you. It learns what you like and adapts.

They utilize the user base and provide a most popular category so you can easily see what others like. They break down the content in categories so you can flip through the type of content you want to see. They will even provide you with an email of content summaries on a recurring basis. While I don’t think this is exactly what Darren Herman was asking for, it is getting closer.

So far my results have been good. I have only been using it for a day and spent about 20 minutes marking articles based on what I want to see. Time will tell but this might be a great thing for me since I am tired of the slanted views and postings of Digg but I want content on a more frequent basis than standard news sources.