Thursday, November 11, 2010

CSRF mitigation: 4images Gallery's comprehensive approach

Once in awhile, in my quest to break (and promote fixing of) every web application I encounter, I have email discussions with some excellent people who reach out to me after the initial advisory during a coordinated disclosure.
Such was the case with Kai S. of Dots United GmbH, the team who develops the 4images Gallery.
Just a day or two after he'd been contacted by Secunia, whom I submit my vulnerability findings to for disclosure coordination, I heard directly from Kai. He asked me to provide more detail with regard to the finding indicating that 4images Gallery accepted "HTTP requests without performing any validity checks to verify the request", better known as cross-site request forgery (CSRF).
After replying with my proof of concept and some resource material, Kai replied that he would "forward this to our developers so we can release a fixed version".
On October 27 Dots United released a fix for all versions up to and including 1.7.8.
On November 10, the 4images Gallery team released version 1.7.9 inclusive of global CSRF mitigation.
In addition to a deserved "Well done!" for excellent communication as well as a timely fix turnaround, I'd like to applaud their direct approach to the fix, seemingly based on OWASP recommendations. Should all web application developers take a similar path, we'd likely see a reduction in CSRF vulnerability statistics.

Let me walk you through some of the 4images Gallery CSRF mitgation methods.
The core of the protection is includes/csrf_utils.php; CSRF protection is enabled by default.
As created by csrf_utils.php, generate a random MD5-derived token:

Return said token to the form as follows:

Then when some jerk like me comes along and throws something nasty at an admin...

...the attacker is thwarted by a unique, random token.

Add to the above-mentioned functionality the fact that the 4images devs allow you to take advanced control of CSRF protection via the config.php file. You can manage the default bit or maintain granular control of frontend/backend protection, token expiration, CSRF protection variable naming, and even XHTML vs. HTML.

I appreciate the efforts undertaken by Kai and the Dots United team in response to this vulnerability, and look forward to other development teams/vendors hopefully taking a similar tack.
Happy sailing. ;-) | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Tuesday, November 02, 2010

toolsmith: Confessor & Mole for IR & security analysis

As November 2010's toolsmith kicks off the fifth year of the column for the ISSA Journal, I am proud to use it as an opportunity to announce the official release of Bryan Casper's Confessor and Kris Thomas' MOLE.
I discussed these tools at ISSA International in September and again at SecureWorld Expo Seattle, and after a slight delay to clarify licensing (they're released under the Microsoft Public License (Ms-PL), both tools are available for you on CodePlex.
These tools were born of needing better utilities for incident response and security analysis in complex, massive cloud-like environments.
If you'd like a copy of the above-mentioned presentation, please contact me and I'll send it to you.

As described in the article, Bryan's Confessor answers the challenge of collecting system logs and attributes on hundreds or even thousands of systems at the same time, utilizing the same tools as MIR-ROR, but deploying them in an enterprise capable manner.
Note: Since the article's release Confessor has been updated to pass domain credentials via the UI and process host names as well as IP addresses.

Kris' MOLE was spawned improve on a method I’d been utilizing to cull malware from malicious URLs sent across Windows Live Messenger. Where I’d been using a specific wget string at the command-line Kris built MOLE (Malicious Online Link Engine) as a wrapper for wget that includes many additionally useful features.

We find these tools incredibly useful and are very pleased to be able to release them for public consumption as freely available and open source.

The article is here, Confessor is here, and MOLE is here.

Please ping me if you have questions; we look forward to your feedback.
Comments welcome here or via email. | digg | Submit to Slashdot

Please support the Open Security Foundation (OSVDB)

Moving blog to

toolsmith and HolisticInfoSec have moved. I've decided to consolidate all content on one platform, namely an R markdown blogdown sit...