Web Application Security and Exploitation

A flaw in Rails’ handling of Unicode leads to a hole in some of the framework’s major applications. Twitter handled it gracefully as did Rails… 37Signals, not so much.

Banking giant HSBC France was exposed today with a multitude of unforgivable security violations including MS-SQL injections that led to the revelation of plaintext (and simple) administrator passwords. Unu, the same tester from the UK Parliament SQL injection of a few days ago, now presents you with the clusterfuck that is HSBC France security.

While Facebook’s own security awareness seems to be quite high and no serious flaws have been found in their core software, the Facebook API and application platform has become a continual source of nightmares for their security professionals. With the API they have open and the amount of users available, every single third-party Facebook application must seem like a piece of low-hanging fruit for malicious injectors.

September has been declared the Month of Facebook App Bugs by security researcher, theharmonyguy. And he isn’t targeting small fries here either — the major exploits he has already located and disclosed exist in such widely installed apps as SuperPoke!, Causes, and Farmville. The latter two have nearly 30 million users as their install base EACH. That is 60 million people on Facebook who were vulnerable to malicious cross-site scripting and even trojan installation simply because they were using a Facebook app they assumed was secure.

That aura of third party security enforced by a second party should be ending. No one should trust a Facebook application… ever. Facebook simply isn’t checking them closely enough. Not only has he located XSS injections in the most popular Facebook apps but today he is going to highlight an SQL injection currently exposed by a Facebook Verified App (which means they supposedly went over the code to certify it secure). Hello, Bobby Tables!

From theharmonyguy:

Beginning tomorrow, September 1st, I will begin posting full technical details of cross-site scripting vulnerabilities that I have discovered in Facebook applications. Following the model of the Month of Twitter Bugs, I will notify each application developer 24 hours prior to revealing any holes. After 24 hours have passed, I will publish a new post on theharmonyguy.com with the title “FAXX Hack:” (for Facebook Application XSS/XSRF) and the name of the application… At this time, I have found five widely used Facebook applications vulnerable to XSS.

The Register, via Romanian hacker “Unu”, disclosed huge web security issues on the UK Parliament website today. The flaws described are three of the most common:

1. Plaintext passwords stored in the database. Never do this. Period. As a developer, you’re asked to do this so that people can easily retrieve their passwords via email or a call to support. Just say no. Not only do you get exposures like this but anyone who has access to the database, and the plaintext passwords within, very likely will have access to other website accounts where the users likely use the same low-security passwords.
2. Low-security passwords. If your data has some modicum of secrecy or value, enforce a password security requirement — numbers, symbols, capitals, etc. As shown in the article, many of the passwords exposed were easily guessable or dictionary hackable even without the SQL injection.
3. SQL injection. You can see in the URL from the screenshot how the researcher exposed the most important flaw, SQL injection, that led to the previous two. He closed out one query in the URL and opened up his own (likely selecting the usernames and passwords from a guessed table name like, oh, “users” or “admin”, and selecting them by their userIDs). This is easily stopped in any scripting language by escaping out any variables you take from the user and sanitizing that input before using it in your query. Parameterized queries are even better.

Those are three dangerous flaws that many sites suffer from but it is unfortunate to see all three exposed at once and in a large governmental organization.