« March 2010 | Main | January 2011 »

November 2010

November 22, 2010

Scanning for Client-Side JavaScript Vulnerabilities

In a few weeks, our team is going to publish a new research whitepaper, which explores the prevalence of client-side JavaScript vulnerabilities such as DOM-based XSS, in real world web applications. For this research, we used a new IBM technology called JavaScript Security Analyzer (JSA), which performs static taint analysis on JavaScript code that was collected from web pages extracted by an automated deep web crawl process. JSA is included in Rational AppScan Standard Edition v8.0, which was recently launched.

Here’s a short summary which explains how JSA works:

JSA goes over all URLs visited by AppScan’s web crawler, one by one. For each URL, JSA saves the entire HTTP response stream. JSA then looks for JavaScript entry points in the current visited URL, and applies a set of JavaScript-specific taint analysis rules. These rules include specifications of source, sink, and sanitizer functions. JSA reports on data flows from source to sink that do not go through a sanitizer. JSA reports on six different issue types: DOM-based XSS, JavaScript Code Injection, JavaScript Open-Redirect, CSRF Bypass, Dual Session Issues, Port Manipulations, Protocol Manipulations.

Issues reported by JSA appear in AppScan Standard Edition. Trace information for each issue is displayed in the issue information pane in AppScan (see image below)

issue

Continue reading "Scanning for Client-Side JavaScript Vulnerabilities" »

Posted by on November 22, 2010 | | Comments (0) | TrackBack (0)

| |

November 16, 2010

Vtiger CRM Path Traversal & Malicious Code Execution Vulnerabilities

Summary:

A Path Traversal vulnerability exists in Vtiger CRM release 5.1.0 (Linux) and 5.2.0RC (Windows), which allows a malicious user to view the contents of any file that resides on the machine on which Vtiger CRM is installed. In addition, when the malicious user can place his/her own PHP file on the same machine, this vulnerability can be used in order to execute the contents of that PHP file under the permissions used by the Vtiger CRM application.

Description:

the vulnerability exists in the parameter 'login_theme', which is passed as a part of the login request to the application, as can be seen below:

[Login, HTTP Request - Line Wrapped]

POST /vtigercrm/index.php HTTP/1.1
Content-Length: ...
Content-Type: application/x-www-form-urlencoded
Host: www.vuln.site
Connection: Keep-Alive

module=Users&action=Authenticate&return_module=Users&return_action=Login&
user_name=standarduser&user_password=user&login_theme=[MALICIOUS_PAYLOAD]&
login_language=en_us&Login.x=41&Login.y=20

[End of HTTP Request]

In order to exploit this vulnerability, a malicious user can manipulate the value of the 'login_theme' parameter, to a value such as:

Continue reading "Vtiger CRM Path Traversal & Malicious Code Execution Vulnerabilities" »

Posted by on November 16, 2010 in Info Bits, Research, Web Application Security | | Comments (0) | TrackBack (0)

| |

November 10, 2010

Babylon Cross-Application Scripting

Hey,

Recently Yair Amit and I have discovered a Cross-Application Scripting (CAS) vulnerability in Babylon which can lead to Remote Code Execution.

The advisory can be downloaded here.

A video which demonstrates the issue:

 

We would like to thank the Babylon team for their quick responses and the efficient way in which they handled this security issue.

-Roee

Posted by on November 10, 2010 | | Comments (0) | TrackBack (0)

| |

Follow us on Twitter

IBM Application Security Insider
IBM Application Security Insider

AppScan Free Trial


Try IBM Security AppScan software at no charge.

Search

Recent Posts

Archives

Categories

Pages

Become a Fan