Showing posts from February, 2010

Online finance flaw: Ameriprise III - please make it stop

NOTE: This issue was disclosed responsibly and repaired accordingly.

"Now what?", you're probably saying. Ameriprise again? Yep.
I really wasn't trying this time. Really.
There I was, just sitting in the man cave, happily writing an article on version control and regression testing.
As the Ameriprise cross-site scripting (XSS) vulnerabilities from August 2009 and January 2010 were in scope for the article topic, due diligence required me to go back and make sure the issue hadn't re-resurfaced. ;-)
I accidentally submitted the JavaScript test payload to the wrong parameter.
What do you think happened next?
Nothing good.
I reduced the test string down to a single tic to validate the simplicity of the shortcoming; same result.

At the least, this is ridiculous information disclosure, if not leaning heavily towards a SQL injection vulnerability.
As we learned the last twotimes we discussed Ameriprise, the only way to report security vulnerabilities is via their PR department…

Directory traversal as a reconnaissance tool

Like most of you, I find malicious or fraudulent online advertisers annoying to say the least.
My typical response, upon receipt of rogue AV pop-ups, or redirects to clearly fraudulent sites, is to "closely scrutinize" the perpetrating site.
This effort often bears fruit as is evident in the following analysis.

My interest was recently peaked when being made aware of a number of related sites committing abuse against a variety of brands; all quite clearly in violation of copyrights and trademarks.
An example, for your consideration:
After a little exploration it was quickly determined that these cretins seek only to con victims out of credit card data with the promise of illegal downloads for a fee.
Apparently these dbags have been at it for awhile.
They make it look like you're going to receive access to a legitimate offering then they suck you in to
This, of course, pissed me off, to the races.
A poke here, a tickle ther…

toolsmith: Firefox Addons for the Security-minded

Few websites are safe from a hearty probe when I come by for a visit, and I'd be remiss if I didn't share some of my favorite Firefox add-ons utilized as part of said probing.
I opted to do just this as the topic for February's toolsmith, and focused on the expected standards (NoScript, FoxyProxy Standard, BetterPrivacy, and Torbutton) as well as some of my less known favorites.

Justin Morehouse’s PassiveRecon will let you dig up everything you ever wanted to know about a given site you may be browsing or analyzing.

WorldIP from is very cool and very useful.
It provides everything you could every need to know or trace with regard to IP addresses and geolocation.

I saved the best for last; a new powerhouse in my web app sec arsenal.
Felipe Moreno-Strauch’s Groundspeed, a newer add-on “that allows security testers to manipulate the application user interface to eliminate annoying limitations and client-side controls that interfere with th…