The Results of CDS 2 exam conducted by the UPSC has been declared and is on the commissions website.Log on to
UPSC for more.
Friday, February 1, 2013
Saturday, February 25, 2012
UI redressing attack !!
Clickjacking (User Interface redress attack, UI redress attack, UI redressing) is a malicious technique of tricking a Web user into clicking on something different to what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous webpages.
Simply put, don’t believe on whatever you click now-a-days in any unknown or malicious sites. I(along with Aditya Gupta and Subho Halder) have found some interesting clickjacking attacks in Google itself. Well they have now corrected the User Interface and also added the necessary header to avoid clickjacking.Cheers to our efforts :P
Well the question is WHAT IS CLICKJACKING?
A clickjacked page tricks a user into performing undesired actions by clicking on a concealed link. On a clickjacked page, the attackers load another page over it in a transparent layer. The users think that they are clicking visible buttons, while they are actually performing actions on the hidden page. The hidden page may be an authentic page, therefore the attackers can trick users into performing actions which the users never intended. There is no way of tracing such actions to the attackers later, as the users would have been genuinely authenticated on the hidden page.
So how to AVOID it?
The first possible solution which comes to our mind is how to disable other sites from “iframing” your content, now there are different possible solutions for that
Solution 1:
Using a javascript framebusting code, which checks if the page is loaded inside a frame or not, if it is loaded, it quietly redirects to the parent page, an example code :
if (top != self) { top.location.replace(self.location.href); }
Excellent! Now you “bust” or break out of any containing iframe automatically. Except for one small problem.
As it turns out, your frame-busting code can be busted :
This code does the following:
increments a counter every time the browser attempts to navigate away from the current page, via the window.onbeforeonload event handler
sets up a timer that fires every millisecond via setInterval(), and if it sees the counter incremented, changes the current location to a server of the attacker’s control
that server serves up a page with HTTP status code 204, which does not cause the browser to navigate anywhere
Well lets look at other options
Solution 2:
One of the more viable solution is the X-FRAME-OPTIONS header that allow a site to control whether its content can be within a frame. There are two settings to this header, DENY blocks the content from being in a frame and SAMEORIGIN only allows the content to be framed by pages within the same origin. While it is not the end all and be all of clickjacking solution and won’t work in some sites that extensively use frames across multiple sites, it is considered as a more reasonable approach for sites to protect their own content.
What is it good for?
Originally is was intended as a way to prevent clickjacking.
To understand clickjacking, let’s first look at Cross Site Request Forgery (CSRF). CSRF is abusing the ability of browsers to interact with multiple servers at the same time. So you’re logged in into your bank and the attacker tricks you in clicking on a link that send him some money.
good websites protect themselves from this by e.g. using request tokens to make sure the request being received is intentional.
Many websites are vulnerable to various forms of CSRF, some even argue the majority of websites that interact with users are vulnerable somewhere.
Clickjacking is a way to trick visitors into interacting with a victim website without the user knowing he’s doing it by e.g. overlaying other things such as images over the elements.
Framebusting is a common technique to prevent clickjacking, sadly framebusting can be defeated.
x-frame-options was introduced in a beta release of IE8 as an alternative.
So what is x-frame-options?
It’s a HTTP response header.
HTTP, not HTML!
It can be used to prevent framing of the pages that are delivered to browsers in the browser: the browser simply refuses to render the page in a frame if the header is present dependign on the set value.
Values are
DENY: Stops all framing
SAMEORIGIN: Stops framing except for the same website that delivered the page itself. (Allowing http://www.example.com/ to frame pages served from http://www.example.com/ with x-frame-options set to this value)
What does it not do?
It doesn’t protect your web site from being a victim from clickjacking as by far not all browsers support it. E.g. Microsoft neglected to backport it to still widely popular IE6 and IE7 browsers.
So you still need all the other measures too.
Note that it’s something that doesn’t need javascript, has little odds of being defeated by smart attackers as long as the browser supports it, so it’s not without merit.
Alternative to framebusting ?
Since the x-frame-options is in the security world an additional measure somewhat similar to where framebustng could be used, isn’t it also an alternative to framebusting in other web master areas ?
Sure it is: just remember that instead of taking over the entire tab, the browser will not render it at all. And your regular framebusting javascript has no chance as it’ll not get loaded if the browser support this.
Browsers that support it
IE8
Safari
Chrome
Firefox with the NoScript addon
It’s not backported to IE6 and IE7
How to send out the header using IIS?
Open the Internet Service Manager
HTTP headers tab
in the Custom headers section: Add…
Custom header Name: x-frame-options Custom header Value: "DENY" or "SAMEORIGIN" (without the quotes).
Can anybody confirm/correct this (I don’t run IIS) ?
How to send out the header using apache
Add this to your httpd.conf:
header always append x-frame-options SAMEORIGIN
So we get a fair idea about what does it mean when someone shouts out, “I Clickjacked You ”
I’M IN GOOGLE HALL OF FAME !
Finally after a long awaited time, I made it to Google Security Hall of Fame under honorable mention.
On 1 November 2010, Google launched a Vulnerability Reward Program for Google web properties.
Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include:
*.google.com
*.youtube.com
*.blogger.com
*.orkut.com
Few weeks back, we (Subho Halder, Aditya Gupta and Dev Kar ) reported 6 Clickjacking bugs in many google products, and made a nice POC of all of them.
The X-FRAME-OPTIONS was missing from some of the important Google Products like Translate, Scholar and many more.
Using the bug, a user’s status could be updated automatically, without the user coming to know about it.Google guys responded promptly, and put us in their Hall of Fame – Honorable Mention for the report.Google Security Hall of Fame
Google Clickjacking POC
Thanks Google
Signed off:-Dev Kar
On 1 November 2010, Google launched a Vulnerability Reward Program for Google web properties.
Any Google web properties which display or manage highly sensitive authenticated user data or accounts may be in scope. Some examples could include:
*.google.com
*.youtube.com
*.blogger.com
*.orkut.com
Few weeks back, we (Subho Halder, Aditya Gupta and Dev Kar ) reported 6 Clickjacking bugs in many google products, and made a nice POC of all of them.
The X-FRAME-OPTIONS was missing from some of the important Google Products like Translate, Scholar and many more.
Using the bug, a user’s status could be updated automatically, without the user coming to know about it.Google guys responded promptly, and put us in their Hall of Fame – Honorable Mention for the report.Google Security Hall of Fame
Google Clickjacking POC
Thanks Google
Signed off:-Dev Kar
I’M IN APPLE SECURITY RESEARCHERS
Few days back, I was credited in the Apple Security Researchers page, where they credit all the Security Researchers who identified severe security vulnerabilities in their website or servers.
This made me really happy, cause it was an really easy XSS bug, on consultants.apple.com.
Also, this bug remained unpatched for as far as 4 months. One of my friends, Cim Stordal, reported the same bug few months back, and is listed with me on the list with my two other friends Aditya Gupta and Sunny Rockzzs.
Here is the link if you need to see the whole list.
Apple Security Researchers
Also today is the birthday of worlds greatest visionary late Mr.Steve Jobs,
Happy Birthday Steve Jobs you changed the world and the way we see it :) RIP
This made me really happy, cause it was an really easy XSS bug, on consultants.apple.com.
Also, this bug remained unpatched for as far as 4 months. One of my friends, Cim Stordal, reported the same bug few months back, and is listed with me on the list with my two other friends Aditya Gupta and Sunny Rockzzs.
Here is the link if you need to see the whole list.
Apple Security Researchers
Also today is the birthday of worlds greatest visionary late Mr.Steve Jobs,
Happy Birthday Steve Jobs you changed the world and the way we see it :) RIP
Signed off:-Dev Kar
Sunday, February 12, 2012
The Google Dilemma
Its been a month now that i took my new year resolution of blogging more often, And its apperant from my actions that how those new year resolutions wind up.lol.This year is pretty diffrent though,a lot has happened and a lot of things are happining to me.Some good ,some bad and some "ironic".
Lets talk about the good parts and leave the bad parts for me to mug upon. :P
The good thing is that i made it into google hall of fame for reporting 6 clickjacking vulnerebilities in their web products,with 2 other guys sunny rockzzs and aditya gupta.Unfortunately they didn't pay us anything :( coz the vulnb depended too much upon the attack vector.But getting into hall of fame page was a gud moment for me.
I was also able to make it into apple's security researchers list.This was pretty controversial as the vulnerebelity we submitted was already been submitted by a 16 yr old German kid cim stordal.So we all were credited for finding the vulnb which for Cim was little annoying.Getting into apple hall of fame was the second best thing this year :)Also found many more bugs in many other web applications.
But one intereting thing happened almost unknowingly,we found a bug in Gmail,at the first sight it looked like a simple xss(non persitant),so we submited our bug report to google security team.They responded very promptly,after the initial analysis of the bug it turned out that there wasn't any problem with the gmail.But the bug was actually a browser bug,so the googgle guy filled a private bug in the chromium project.We went very happy and all for finding a browser bug that too in chrome :P.But after the analysis of the bug by chromium security team it turned out that there wasn't a problem with the chrome browser the bug actually existed in the "webkit engine".That means all the browsers powered by webkit engine would be vulnb. to this attack.We tried it on safari and it worked.
Yeppiii!!we got a webkit bug!
So now what we have is a XSS which turned to be a browser bug which later turned out to be a webkit bug,what are the odds for that. lol.We are happy for what we have found out unknowingly :P.But the sad part is neither we would be credited by Google security team and nor by Chromium security team ,forget the money they won't even mention our names.:( The webkit open source project as per my knowledge doesn't offer any credits or monetary reward for bugs.They will fix the bug and will mail us the link for downloading the latest nightly build and we have to check if the fix is working properly or not.We still don't know whether we will be credited or not,But we should be credited as the Bug we found out did help in making the browser more secure.
I will be discussing more about the bug that we found out,once its patched.(Ethics :P)
signed off-
Dev Kar
Lets talk about the good parts and leave the bad parts for me to mug upon. :P
The good thing is that i made it into google hall of fame for reporting 6 clickjacking vulnerebilities in their web products,with 2 other guys sunny rockzzs and aditya gupta.Unfortunately they didn't pay us anything :( coz the vulnb depended too much upon the attack vector.But getting into hall of fame page was a gud moment for me.
I was also able to make it into apple's security researchers list.This was pretty controversial as the vulnerebelity we submitted was already been submitted by a 16 yr old German kid cim stordal.So we all were credited for finding the vulnb which for Cim was little annoying.Getting into apple hall of fame was the second best thing this year :)Also found many more bugs in many other web applications.
But one intereting thing happened almost unknowingly,we found a bug in Gmail,at the first sight it looked like a simple xss(non persitant),so we submited our bug report to google security team.They responded very promptly,after the initial analysis of the bug it turned out that there wasn't any problem with the gmail.But the bug was actually a browser bug,so the googgle guy filled a private bug in the chromium project.We went very happy and all for finding a browser bug that too in chrome :P.But after the analysis of the bug by chromium security team it turned out that there wasn't a problem with the chrome browser the bug actually existed in the "webkit engine".That means all the browsers powered by webkit engine would be vulnb. to this attack.We tried it on safari and it worked.
Yeppiii!!we got a webkit bug!
So now what we have is a XSS which turned to be a browser bug which later turned out to be a webkit bug,what are the odds for that. lol.We are happy for what we have found out unknowingly :P.But the sad part is neither we would be credited by Google security team and nor by Chromium security team ,forget the money they won't even mention our names.:( The webkit open source project as per my knowledge doesn't offer any credits or monetary reward for bugs.They will fix the bug and will mail us the link for downloading the latest nightly build and we have to check if the fix is working properly or not.We still don't know whether we will be credited or not,But we should be credited as the Bug we found out did help in making the browser more secure.
I will be discussing more about the bug that we found out,once its patched.(Ethics :P)
signed off-
Dev Kar
Monday, January 2, 2012
How 'main(int argc, char ** argv)' is implemented?
The declaration of main looks like this:
int main(int argc, char *argv[]);
This indicates that main is a function returning an integer. In hosted environments such as DOS or UNIX, this value or exit status is passed back to the command line interpreter.Typically, this facility is used to direct the way the program goes about its task. It's particularly common to provide file names to a program through its arguments.
There are two arguments to main: argc and argv. The first of these is a count of the arguments supplied to the program and the second is an array of pointers to the strings which are those arguments—which are passed to the main function in the form of pointer to an array. These arguments are passed to the program by the host system's command line interpreter.
Here's an example to explain the concept:-
#include
#include
using namespace std;
int main( int argc, char* argv[] )
{
cout << "The name used to start the program: " << argv[ 0 ]<< "\nArguments are:\n";
for (int n = 1; n < argc; n++)
cout << setw( 2 ) << n << ": " << argv[ n ] << '\n';
return 0;
}
Compile it, then from the command-prompt try running it different ways:-
If the program name is "a" and it has arguments hello,world when it is run, the state of the arguments and the value of argv can be illustrated like this:
D:\prog\test> a Hello world!
The name used to start the program: a
Arguments are:
1: Hello
2: world!
Each time that argv is incremented, it is stepped one item further along the array of arguments. Thus after the first iteration of the loop, argv will point to the pointer which in turn points to the world! argument.
This is another way of giving arguments:-
D:\prog\test> cd ..
D:\prog> test\a.exe "Peter Piper" picked a peck of "pickled peppers"
The name used to start the program: test\a.exe
Arguments are:
1: Peter Piper
2: picked
3: a
4: peck
5: of
6: pickled peppers
I guess this one is self explanatory..:)
int main(int argc, char *argv[]);
This indicates that main is a function returning an integer. In hosted environments such as DOS or UNIX, this value or exit status is passed back to the command line interpreter.Typically, this facility is used to direct the way the program goes about its task. It's particularly common to provide file names to a program through its arguments.
There are two arguments to main: argc and argv. The first of these is a count of the arguments supplied to the program and the second is an array of pointers to the strings which are those arguments—which are passed to the main function in the form of pointer to an array. These arguments are passed to the program by the host system's command line interpreter.
Here's an example to explain the concept:-
#include
#include
using namespace std;
int main( int argc, char* argv[] )
{
cout << "The name used to start the program: " << argv[ 0 ]<< "\nArguments are:\n";
The name used to start the program: a
Arguments are:
1: Hello
2: world!
Each time that argv is incremented, it is stepped one item further along the array of arguments. Thus after the first iteration of the loop, argv will point to the pointer which in turn points to the world! argument.
This is another way of giving arguments:-
D:\prog\test> cd ..
D:\prog> test\a.exe "Peter Piper" picked a peck of "pickled peppers"
The name used to start the program: test\a.exe
Arguments are:
1: Peter Piper
2: picked
3: a
4: peck
5: of
6: pickled peppers
I guess this one is self explanatory..:)
Tuesday, December 6, 2011
How to unblock blocked sites in your network?
This post will teach you 5 possible ways to bypass the web filter.Some methods work only work with certain filter configurations so you may have to experiment with several methods to find the best one for your situation.We will also look into some of the technical details of it.
An often-used analogy to explain the Domain Name System(DNS) is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.32.10 (IPv4) and 2620:0:2d0:200::10 (IPv6).In other words the DNS is a database keeping records of which IP belongs to which site.That means when you type in an URL in your browser the browser connects to the DNS server through your ISP and asks for the corresponding IP address,when the DNS server provides the IP of that site the connection is made between your browser and the site.
OpenDNS, or any DNS based filtering/blocking service for that matter blocks sites by returning fake information when your computer requests the IP address of a blocked domain. If you were to visit Google.com then OpenDNS would return the genuine IP address, but if you tried to access a blocked domain like Facebook.com then OpenDNS will return modified/fake data which will redirect you to block.opendns.com.
You can use a web proxy service like the one offered by Freeproxyserver.net. When surfing a blocked site like Facebook through a web proxy, your computer and DNS provider will think you're simply browsing freeproxyserver.net because freeproxy will be making all the connections to Facebook for you. There are thousands of free web proxies out there but you should ideally use one that's hosted in the same country as you for the best speed results.
Although this method is slightly more technical than simply using a web proxy, it should be within the capabilities of most users. This method involves making a temporary modification to your computers HOST file. The HOST file can be used to store the real IP address of a website that you want to visit. So when you try to visit a blocked domain, for example Facebook.com, your computer will already know the real IP address for that domain and won't waste time querying OpenDNS. Since no query is sent to OpenDNS, your computer won't receive any false data which is used to prevent your computer from accessing that domain.
You can visit http://www.fpweb.net/support/managed-hosting/hostfile-editing-support.asp if you don't know how to edit hosts file.This is the best method as far as the speed is concerned.But it takes a lot of time to find the ip's of all the URL's that a particular site uses,you can search for the list of ip's under that site.
This method was working fine for me but few days back my network admin restricted access to any other DNS server.Now all my DNS requests route through OpenDNS.It is quite easy. You can use OpenDNS servers or Google Public DNS servers. If you are using Windows then go to Control Panel > Network and Internet Connections > Network Connections and then right click on connection status icon which you are using to access internet. Now chose “Properties” and then Internet Protocol(TCP/IP). Put any one of the following values in the DNS server address OpenDNS server address: 208.67.222.222 208.67.220.220 Google DNS server address 8.8.8.8 8.8.4.4.Now open up command prompt and type the following c:\>ipconfig /flushdns
If it does not work then make sure to revert the settings to previous one and again type in the same command in command prompt to flush off the DNS cache.
This came to my notice recently when my college ISP blocked http://facebook.com but when i tried https://facebook.com
the site was loaded.This works with many DNS blocking systems and for many sites.It works because the URL blocklist works by inspecting HTTP packets sent out on TCP port 80 and checking the host header to see what URL they're requesting. When using HTTPS the host header is encrypted along with the body, so the router can't read it. The router can see that it's a HTTPS request going to a certain IP address on TCP port 443, but nothing else.
Translation services like Google Translate , translate a website from one language to another and display the translated results on their own page .You can access the blocked website by re-translating blocked url using such online translation services.
Thanks for reading,do leave a comment. :)
What is a DNS?
An often-used analogy to explain the Domain Name System(DNS) is that it serves as the phone book for the Internet by translating human-friendly computer hostnames into IP addresses. For example, the domain name www.example.com translates to the addresses 192.0.32.10 (IPv4) and 2620:0:2d0:200::10 (IPv6).In other words the DNS is a database keeping records of which IP belongs to which site.That means when you type in an URL in your browser the browser connects to the DNS server through your ISP and asks for the corresponding IP address,when the DNS server provides the IP of that site the connection is made between your browser and the site.
How blocking is implemented?
OpenDNS, or any DNS based filtering/blocking service for that matter blocks sites by returning fake information when your computer requests the IP address of a blocked domain. If you were to visit Google.com then OpenDNS would return the genuine IP address, but if you tried to access a blocked domain like Facebook.com then OpenDNS will return modified/fake data which will redirect you to block.opendns.com.
How to access blocked sites?
#1)Web Proxy
You can use a web proxy service like the one offered by Freeproxyserver.net. When surfing a blocked site like Facebook through a web proxy, your computer and DNS provider will think you're simply browsing freeproxyserver.net because freeproxy will be making all the connections to Facebook for you. There are thousands of free web proxies out there but you should ideally use one that's hosted in the same country as you for the best speed results.
#2)HOST file modification
Although this method is slightly more technical than simply using a web proxy, it should be within the capabilities of most users. This method involves making a temporary modification to your computers HOST file. The HOST file can be used to store the real IP address of a website that you want to visit. So when you try to visit a blocked domain, for example Facebook.com, your computer will already know the real IP address for that domain and won't waste time querying OpenDNS. Since no query is sent to OpenDNS, your computer won't receive any false data which is used to prevent your computer from accessing that domain.
You can visit http://www.fpweb.net/support/managed-hosting/hostfile-editing-support.asp if you don't know how to edit hosts file.This is the best method as far as the speed is concerned.But it takes a lot of time to find the ip's of all the URL's that a particular site uses,you can search for the list of ip's under that site.
#3)Using different DNS server
This method was working fine for me but few days back my network admin restricted access to any other DNS server.Now all my DNS requests route through OpenDNS.It is quite easy. You can use OpenDNS servers or Google Public DNS servers. If you are using Windows then go to Control Panel > Network and Internet Connections > Network Connections and then right click on connection status icon which you are using to access internet. Now chose “Properties” and then Internet Protocol(TCP/IP). Put any one of the following values in the DNS server address OpenDNS server address: 208.67.222.222 208.67.220.220 Google DNS server address 8.8.8.8 8.8.4.4.Now open up command prompt and type the following c:\>ipconfig /flushdns
If it does not work then make sure to revert the settings to previous one and again type in the same command in command prompt to flush off the DNS cache.
#4)Using https:// instead of http://
This came to my notice recently when my college ISP blocked http://facebook.com but when i tried https://facebook.com
the site was loaded.This works with many DNS blocking systems and for many sites.It works because the URL blocklist works by inspecting HTTP packets sent out on TCP port 80 and checking the host header to see what URL they're requesting. When using HTTPS the host header is encrypted along with the body, so the router can't read it. The router can see that it's a HTTPS request going to a certain IP address on TCP port 443, but nothing else.
#5)Using translation services
Translation services like Google Translate , translate a website from one language to another and display the translated results on their own page .You can access the blocked website by re-translating blocked url using such online translation services.
That's it these were 5 easy ways to get access to any blocked sites blocked by your network provider.But be sure to know what the consequences of doing this is before attempting it.This is classified as computer tampering and is most likely against your organisations rules, if caught you can get into serious trouble, if you are sure that you are not being watched tracked or know that there are not serious consequences for doing this then you should only do the above.
Thanks for reading,do leave a comment. :)
Subscribe to:
Posts (Atom)