websecuritytool Issue Tracker Rss Feed

Closed Feature: NEW CHECK - detect when domain lowering occurs through javascript [4062]

chrisweber — Fri, 01 Jul 2011 06:17:52 GMT

Domain lowering is a method commonly used for sharing functionality across subdomains of a site. For example, when sub.foo.bar wants to access data or functions in sub2.foo.bar, it can 'lower' the document.domain property to foo.bar in javascript. This will create a cross-domain scenario where all subdomains of foo.bar can communicate freely.
Comments: Complete.

Closed Issue: NEW CHECK - Strict Transport Security (STS) [4100]

chrisweber — Fri, 01 Jul 2011 06:17:31 GMT

Reference: http://www.thesecuritypractice.com/the_security_practice/2009/12/new-rev-of-strict-transport-security-sts-specification.html

Check for presence of STS HTTP Header from server response.
To reduce noise, only raise one alert per site/domain.
Comments: Complete.

Closed Issue: Enable closing the ProgressDialog [5812]

chrisweber — Fri, 01 Jul 2011 06:17:05 GMT

In the WatcherProgressDialog can we set ControlBox=True and disable the form from being closed and disposed? Right now the 'x' button is disabled so users cannot close the dialog box, preventing it from being disposed prematurely. It would instead be nice to allow people to close it if they wanted.
Comments: Done.

Closed Issue: Enable offline processing of Fiddler archive (.SAZ) files [5811]

chrisweber — Fri, 01 Jul 2011 06:16:51 GMT

Add a button for “Process Sessions” to the UI that would call FiddlerApplication.UI.GetAllSessions() or FiddlerApplication.UI.GetSelectedSessions() and then run Watcher rules on each Session object returned by that call.
Comments: Complete.

Created Issue: Javascript check for eval() does not ignore comments [5813]

chrisweber — Mon, 13 Dec 2010 17:39:30 GMT

Comments containing eval() should be ignored.

// item A: restricted from using eval() function
// eval("window." + i.toString().toUpperCase() + " = " + n++);

//tt_op = (document.defaultView && typeof(eval("w");
// item B: restricted from using eval() function

/* for(var i in config)
{
s = "window." + i.toString().toUpperCase();
if(eval("typeof(" + s + ") == tt_u")) // item C:
restricted from using eval() function
{
eval(s + " = " + tt_aV.length);
tt_aV[tt_aV.length] = null;
}
}
*/

Created Issue: Enable closing the ProgressDialog [5812]

chrisweber — Wed, 17 Nov 2010 20:04:00 GMT

Created Issue: Enable offline processing of Fiddler archive (.SAZ) files [5811]

chrisweber — Thu, 11 Nov 2010 19:38:47 GMT

Created Feature: Random thoughts from Adrien [5810]

chrisweber — Tue, 09 Nov 2010 22:20:18 GMT

- Dump the contents of all JSON arrays, or just flag that a ton of data is being pushed down but not displayed
- List all hidden or disabled fields
- Collect all cookies
- Flag cookies that might be used for session management with stupidly short values?
- Try to identify potential CSRF (predictable parameters)
- Identify potential CRLF injection (HTTP response splitting)
- Identify if client side validation is being pushed down to the browser
- Possibly more information disclosure checks
- Clear text passwords
- Forms with autocomplete
- Directory indexes or that allow uploads
- A general check for files known to have common vulnerabilities?
- Fingerprint server, frameworks, ...

Closed Issue: Majestic12.HTMLheuristics.SetHash overflow [3999]

chrisweber — Tue, 09 Nov 2010 20:12:46 GMT

---------------------------
Uncaught Exception in Session #1
---------------------------
Fiddler has encountered an unexpected problem. If you believe this is a bug in Fiddler, please copy
this message by hitting CTRL+C, and submit a bug report using the Help | Send Feedback menu.

Arithmetic operation resulted in an overflow.
Source: CasabaSecurity.Web.Watcher
at Majestic12.HTMLheuristics.SetHash(Char cChar1, Char cChar2, Int16 usID)

at Majestic12.HTMLheuristics.AddTag(String sTag, Int16 usID, Int16 usDataID)

at Majestic12.HTMLheuristics.AddTag(String p_sTag, String sAttributeNames)

at Majestic12.HTMLparser..ctor()

at CasabaSecurity.Web.Watcher.UtilityHtmlParser..ctor(Session session)

at CasabaSecurity.Web.Watcher.CheckManager.RunEnabledChecks(Session oSession)

at CasabaSecurity.Web.Watcher.FiddlerWatcherExtension.Fiddler.IAutoTamper.AutoTamperResponseBefore(Session oSession)

at Fiddler.FiddlerExtensions.DoAutoTamperResponseBefore(Session oSession)

at Fiddler.Session.InnerExecute()

at Fiddler.Session.Execute(Object objThreadState)

Fiddler v2.2.8.1 (x64) [.NET 2.0.50727.4927 on Microsoft Windows NT 6.1.7600.0]
---------------------------
OK
---------------------------
Comments:

Can't reproduce and have not heard any other complaints about this error.

Closed Feature: ASP.NET VIEWSTATE decoder integration [3887]

chrisweber — Tue, 09 Nov 2010 20:11:02 GMT

Jason Montgomery was kind enough to contribute some code from his project at http://dnsecanalysis.codeplex.com/ which includes a VIEWSTATE decoder. We need to integrate this into Watcher's utilities and make sure checks have access to the decoded data. For example, each information disclosure check should be able to analyze decoded VIEWSTATE data.
Comments:

ASP.NET decoding is built in for some checks, we're not going to make a separate panel for viewing the decoded data.

Created Feature: Add a tree-view display to the results tab [5808]

chrisweber — Tue, 09 Nov 2010 20:04:14 GMT

The Results should be available in both a list view (currently working) and a tree-view. A toggle button/switch should be available to switch between the two.

Tree-view results should organize the display first by host, then by finding name as in:

acme.nottrusted.com
- Missing Content-Type header
     - result 1
     - result 2
  - ASP.NET Vulnerable to Tampering
     - result 1
     - result 2
     - result 3

acme.foo.bar
- Javascript Eval Usage
     - result 1
  - Cookie's HTTPOnly flag was not set
     - result 1
     - result 2

Created Feature: NEW CHECK - X-Download-Options [4268]

chrisweber — Tue, 13 Apr 2010 18:02:58 GMT

The check would see if the Content-Disposition header exists in the response and verify that the 'X-Download-Options: noopen' header is present.

Created Issue: NEW CHECK - Strict Transport Security (STS) [4100]

chrisweber — Fri, 26 Feb 2010 22:12:38 GMT

Closed Feature: NEW CHECK - detect when ASP.NET VIEWSTATE has MAC protection disabled [4061]

chrisweber — Wed, 24 Feb 2010 21:00:07 GMT

Identify when EnableMacValidation has been disabled. This check looks at ASP.NET VIEWSTATE values to detect when MAC protection has been disabled. If disabled, it's possible for attackers to tamper with the VIEWSTATE and create XSS attacks. More information is available from the advisory at https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt.

Using a similar method that Patrick Toomey uses in his ViewState encoder/decoder plugin for Fiddler: http://labs.neohapsis.com/2009/08/03/viewstateviewer-a-gui-tool-for-deserializingreserializing-viewstate/. We can use the LosFormatter class to deserialize and then re-serialize the VIEWSTATE. When comparing both values (before and after) we look for a length difference of 20 bytes, or 32 bytes for .NET 4.0. LosFormatter.Serialize has an option to include a MAC. By default however it will not create a MAC, and will actually strip the MAC (last 20 or 32 bytes) off of the VIEWSTATE for us if it exists.
Comments:

Commented Feature: NEW CHECK - detect when ASP.NET VIEWSTATE has MAC protection disabled [4061]

chrisweber — Wed, 24 Feb 2010 20:59:05 GMT

Identify when EnableMacValidation has been disabled. This check looks at ASP.NET VIEWSTATE values to detect when MAC protection has been disabled. If disabled, it's possible for attackers to tamper with the VIEWSTATE and create XSS attacks. More information is available from the advisory at https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt.

Using the same method Patric Toomey uses in his ViewState encoder/decoder plugin for Fiddler: http://labs.neohapsis.com/2009/08/03/viewstateviewer-a-gui-tool-for-deserializingreserializing-viewstate/. We can use the LosFormatter class to deserialize and then re-serialize the VIEWSTATE. When comparing both values (before and after) we look for a length difference of 20 bytes. LosFormatter.Serialize has an option to include a MAC. By default however it will not create a MAC, and will actually strip the MAC (last 20 bytes) off of the VIEWSTATE for us if it exists.
Comments: ** Comment from web user: chrisweber **

Checked in and passing all tests.

Created Issue: NEW CHECK - detect when domain lowering occurs through javascript [4062]

chrisweber — Fri, 19 Feb 2010 20:31:50 GMT

Created Feature: NEW CHECK - detect when ASP.NET VIEWSTATE has MAC protection disabled [4061]

chrisweber — Fri, 19 Feb 2010 20:29:31 GMT

Identify when EnableMacValidation has been disabled. This check looks at ASP.NET VIEWSTATE values to detect when MAC protection has been disabled. If disabled, it's possible for attackers to tamper with the VIEWSTATE and create XSS attacks. More information is available from the advisory at https://www.trustwave.com/spiderlabs/advisories/TWSL2010-001.txt.

Using the same method Patric Toomey uses in his ViewState encoder/decoder plugin for Fiddler: http://labs.neohapsis.com/2009/08/03/viewstateviewer-a-gui-tool-for-deserializingreserializing-viewstate/. We can use the LosFormatter class to deserialize and then re-serialize the VIEWSTATE. When comparing both values (before and after) we look for a length difference of 20 bytes. LosFormatter.Serialize has an option to include a MAC. By default however it will not create a MAC, and will actually strip the MAC (last 20 bytes) off of the VIEWSTATE for us if it exists.

Created Issue: Majestic12.HTMLheuristics.SetHash overflow [3999]

chrisweber — Mon, 08 Feb 2010 23:20:52 GMT

Created Feature: ASP.NET VIEWSTATE decoder integration [3887]

chrisweber — Thu, 21 Jan 2010 05:56:25 GMT

Created Feature: NEW CHECK - Silverlight ExternalCallersFromCrossDomain [3855]

chrisweber — Mon, 18 Jan 2010 07:40:59 GMT

After unzipping a .XAP file, review the .XAML manifest file's 'deployment' section for an attribute and value:

ExternalCallersFromCrossDomain="ScriptableOnly"

When the attribute is set to ScriptableOnly, the host's native JavaScript can only access scriptable objects that the Silverlight application code registers with the runtime. The ExternalCallersFromCrossDomain attribute accepts two values: ScriptableOnly and NoAccess. The ScriptableOnly value will allow a cross-domain .xap file to programmatically call any scriptable objects that are explicitly exposed by the application.

##### SEVERITY #####
Low

Note: Severity depends on the

##### PREREQUISITE #####
None

##### MITIGATION #####
Note that if the Silverlight's clientaccesspolicy is not configured to allow cross-domain access, then this check won't apply. However the existence of this setting still deserves an alert.

When the ExternalCallersFromCrossDomain attribute is set to NoAccess, scriptable entry points and creatable types are not available to JavaScript or DOM through Content and createObject

##### EXAMPLE #####
An example of the XAML content to review would be:

<Deployment xmlns="http://schemas.microsoft.com/client/2007"
xmlns:x="http://schemas.microsoft.com/winfx/2006/xaml"
EntryPointAssembly="MyAppAssembly"
EntryPointType="MyNamespace.MyApplication"
ExternalCallersFromCrossDomain="ScriptableOnly"
>
<Deployment.Parts>
<AssemblyPart Source="MyAppAssembly.dll” />
<AssemblyPart Source="MyUserControl.dll" />
</Deployment.Parts>
</Deployment>

##### REFERENCES #####
Security Settings in HTML Bridge at http://msdn.microsoft.com/en-us/library/cc645023(VS.95).aspx