I didn’t even know this was around. is a Google search proxy to anonymize your searches. Of course, if you search for personally identifiable stuff, like your name, that’s not necessarily very anonymous anyway, and no proxy will save you. And if I search for “HIV treatments” just before you search for your name, a search anonymized might actually hurt you should the information get out into ignorant hands. Basically you can take it or leave it, but I like the non-standard colors as something new. Saw this over at ComradeSmack

yet another google tool used as a proxy

There’s an endless number of proxies out on the Internet to use for anonymous or filter-bypassing activities. Like using Google translate, you can use this unofficial-looking Google wireless tool that displays a web page how a mobile use would see it, without needing the mobile device in hand. Kinda cute, and interesting. Saw this from Planet-WebSecurity who linked to The Hacker Webzine, and so on…

I should start considering a category called survival skills for the cyber age. This would be part of it…

Posted in web

owasp top 10 for 2007

The OWASP Top 10 has been updated. The PDF version is way at the bottom. Top lists of anything are tough because you have to draw lines and qualifications somewhere. I like that the authors mention some items they left out such as input validations and buffer overflows, but I’m a little concerned that those should still have been included. I guess I am not yet satisfied with why they left them out.

Then again, I have yet to give this a deeper read and maybe am just distilling the information a little slowly yet. Overall, love the OWASP stuff and this top 10 is excellent. Got linked to this from Jeremiah.

open proxy honeypot

An idea for a rainy day (or bored student!): a web proxy “honeypot.” (Snargled from Grossman.) Now, rather than rolling theirs and instead rolling your own, I suppose it wouldn’t be all that hard to stand it up, but it might be a bit harder trying to attract malicious users. Perhaps dropping the open proxy address to some anon proxy lists, astalavista, and perhaps other places you might eventually get some hits…

Running one’s own open web proxy might drive home the fact that web proxies may give anonymity to the destination, it does absolutely nothing for the privacy of data or anonymity from the point of view of the proxy device.

Oh, and how fuckin’ sweet is it that you can package your wares into a VM and distribute it that way? Copy over the VM, start it up, and bam, all that configuration and setup is pretty much done, just give it an IP!

Posted in web

akismet vulnerability announced

There isn’t much detail posted yet, but it appears the akismet plugin for WordPress 2.1.3 (and probably others) has some vulnerability in it. Right now, the only mitigation really is to turn off the plugin unless details/updates are released to see if I am vulnerable (I don’t use WordPress).

Heck, I already get enough spam, and I have been watching as it slowly spreads from a couple core posts to other older posts. Oddly, this weekend about 30 spam comments got through (even as my own comments get moderated!). It’s really just a losing proposition in the end, unless someone really babysits their blog or enforces registration (blech!). At least I babysit for now. I should try to go through my junk list (1399 spam comments saved) and see if there is any sort of IP correlation or what. I kinda doubt it, but maybe I can at least filter some more keywords beyond the obvious…

Posted in web

what I learned a few weeks ago: http request smuggling

Recently I saw an HTTP Request Smuggling alert fly past my IPS. It turned out to be a false positive, but led me down the path of figuring out what that attack actually was. This was one of the bigger things I learned that week. Coincidentally, almost that same day, I browsed backlog quiz questions from Palisade and came across one about HTTP Request Smuggling. Whoa!

HTTP Request Smuggling is scary for a few reasons.

First, and likely the biggest reason many people don’t hear about it, is it is pretty complicated and technical. Do you know the differences in how your application level packet intepreters (cache proxies, firewall proxies…) and your web servers parse HTTP? Me either. But some people do, and I bet they can pilfer some scary stuff without many people knowing..

Second, you can poison proxy caches, pilfer credentials, and leverage other vulnerabilities like XSS using HTTP Request Smuggling without ever really needing to touch the client or have them do anything. The client really has zero ability to stop this attack (returned javascript notwithstanding).

Third, it sounds difficult to detect in logs and on the wire since the packet parsing needs to be done with awareness of what web server and proxy server is in the communication line are, and how they parse HTTP.

Palisade has a nice write-up on the issue available on both their quiz question and also their article. WatchFire has an amazing white paper on the issue that you can sign up to get (use Pookmail as your throwaway email address).

de-obfuscating javascript

I really appreciate “how-to” sorts of posts as they can give people like myself actual insight in how to do things as opposed to the multitude of posts that teach me how to talk like I know how to do things (without actually doing things). Ack!

So this post at SANS is a welcome piece of information about de-obfuscating Javascript. It includes links to other techniques, analyzes how some current techniques are being defeated, and also includes a nice tool at the bottom.

If I were actually more into web application security, I’d totally be eating this up. But that’s not really a place I can focus much time right now. Maybe some other year. Until then, I love the hands-on posts. By the way, if you are interesting in webappsec and have a chance to move into that sphere, it’s quite the lucrative market right now.

Posted in web

macworld hack

Macworld passes were hackable. This just amuses me to no end. While Apple does not directly put on Macworld (IDG World Expo does), it is interesting how security by proxy can work. I would hope IDG World Expo’s developers are few in number, underpaid, and overworked to put out something like this. This reflects badly on Apple as well.

Which brings up the question of just how many and how bad can insecure practices be before they take in collateral damage? Can a mistake on IDG’s part be prevented by Apple? Should companies VA or pen-test each other? Should Apple have known better? Is there really any recourse for this as we move into the future security-be-damned?

It amazes me that such simple things are still occurring today, like javascript “secrets.” I’m not what you would call a web programmer, although I could likely be one given a bit more effort and a job in that field, and yet even I feel I should be better at coding and design concepts than that. Seriously, though, it makes me yearn to get back into web coding again.

If I find more details on the hack, I’ll update this post.

surf at work

I certainly cannot condone evading firewalls and other protections in the workplace or otherwise, since I’m one of those guys trying to stop these people, but these techniques can be useful not only for times when you want it, but also for knowing what people might be doing so that I can stop it. In addition, some of these techniques have the side benefit of being more secure, such as when I am at a hotspot and wanting to make connections privately to public sites.

Posted in web

php security tools and tips

PHP has its share of issues and vulnerabilities. Honestly, it is the weak point of the LAMP architecture because of the potential for misconfigurations and insecure issues. The follow links go into an entry in the SANS Top 20 and the top 5 PHP security settings.

SANS Top 20
php top 5

Since I use PHP I wanted to post this site with some PHP security tips from SANS.

And this is another nice list of php security issues and configurations.

Spike is a php auditing tool that I totally have to try out sometime soon.

Posted in web

attacks and defenses for web apps

Article on attacks against web servers (app level) and mitigations to stopping them, with full examples on the attacks. Some interesting things to try out someday would be mod_security and Tripwire-like programs to monitor file integrity. I would love to start getting alerts like these on my own systems whenever something changes, even if it is me updating a web page on my site. I also have a project to get some sort of centralized monitoring on my network to check for creation/changes to local user accounts and other things. I’d love to be able to centrally pull my firewall logs (Sygate), but I bet that will require my own scripting. At any rate, the paper is much of the same tried-and-true stuff with security, but the examples are pretty cool.

Posted in web