In this case, the text entered by the user in the “Company” field upon a failed login is sent back to the user unaltered immediately in the form of an authentication failure message. An attacker could leverage this to inject malicious code in to the browser of the user trying to login.

I wanted to show the client that this is an issue, and I wanted to use something beyond, “look, this makes a pop-up box on the client that says ‘vulnerable to XSS.’” To do this, I used the Browser Exploitation Framework.

BeEF is the Browser Exploitation Framework. It is a tool that can be used to demonstrate the real-time impact of XSS browser vulnerabilities. It uses a modular structure making new development a trivial process. It can demonstrate the collecting of zombie browsers and browser vulnerabilities in real-time. It provides a command and control interface which facilitates the targeting of individual or groups of zombie browsers. Current modules include metasploit, port scanning, keylogging, TOR detection, and more.

The vulnerable form in questions uses POST variables. As a proof of concept, I created an HTML page with a form that uses JavaScript and runs when the page loads to attempt authentication against this login form injecting script from BeEF.

When a user of the application loads this page, he will automatically get redirected to the login page. In the user’s browser, BeEF loads JavaScript in an iFrame and is able to capture keystrokes. As the user types in his credentials, the attacker can see them from another terminal.

The Browser Exploitation Framework has a lot of other fun modules besides keylogging. I highly recommend playing around with it to see what all it can do. At the very least, it’s useful in demonstrating that there is real risk in XSS vulnerabilities. The easiest way to get it up and running is to use a linux distribution with BeEF pre-installed. The Samurai Web Testing Framework comes with BeEF and lots of other web application security tools.

Sources:

• XSS Cheat Sheet – http://ha.ckers.org/xss.html
• BeEF – http://www.bindshell.net/tools/beef/
• SamuraiWTF- http://samurai.inguardians.com/

ISACA released an interesting and though provoking white paper digging in to the risks that social media poses. It covers vulnerabilities, threats, risks, and mitigating techniques.

http://www.isaca.org/Knowledge-Center/Research/Documents/Social-Media-Wh-Paper-26-May10-Research.pdf

• Introduction of viruses and malware to the organizational network
• Exposure to customers and the enterprise through a fraudulent or hijacked corporate presence
• Unclear or undefined content rights to information posted to social media sites
• A move to a digital business model may increase customer service expectations
• Mismanagement of electronic communications that may be impacted by retention regulations or e-discovery
• Use of personal accounts to communicate work-related information
• Employee posting of pictures or information that link them to the enterprise
• Excessive employee use of social media in the workplace
• Employee access to social media via enterprise-supplied mobile devices (smartphones, personal digital assistants [PDAs])

If you can’t make it, they are streaming it live on uStream.tv.

https://www.shmoocon.org/video.html

Schedule: http://www.shmoocon.org/presentations.html

This year’s event features pre-Summit training opportunities and 2 days of talks, presentations, hands-on workshops, a vendor trade-show fair and much more!  Information Security Technology, Business/Management, Law Enforcement, Career Development, Compliance and Legal issues will be featured. Joel Snyder of Opus One will be our Thursday Keynote Speaker.  Our theme this year is Information Security on a Shoestring Budget.

For detailed information and registration, please visit: http://www.informationsecuritysummit.org

Speakers:

Simon Herring – Un-clutter your security world: Tips for Managing Information Overload

A security professional’s day is often crammed with the predictable and the unplanned. We march, run, and sometimes flail to the beat of an adversary that tries to outwit our defenses.  And if normal Internet chaos wasn’t enough (Cyber crime, SQL injection, XSS, Zero Days, etc.) home-spun organizational directives and risky projects leave us feeling like the management team inside our gates is more dangerous than the adversary outside our walls.

Brent Houston – Web-Application Hiving: Honey-based Approaches to Application Security

This talk will cover the basic ideas behind using low interaction honeypot tools with your existing and new web applications. Details of this approach, the value it brings and how it works will be discussed with examples at both the strategic and tactical levels. Participants will take away an understanding of how honey-based Technologies can fit into their web application security plans, how to implement them in existing applications and how to add honey surfaces to their upcoming development projects.

Speakers: Jon Canady, Web Application Developer, Innova Partners

Topic Summary: PHP is a widely used, general-purpose scripting language, originally designed to produce dynamic web pages. In 2007, The PHP Group reported it was utilized on over 20 million websites and 1 million web servers. In 2008, the National Vulnerability Database claimed PHP accounted for 35% of software vulnerabilities, with nearly all caused by poor programming practices. Every PHP developer, hoster, and security professional should understand the primary attack vectors being used by attackers against PHP applications. During this OWASP meeting we will be deep-diving into PHP security. Specifically, Mr. Canady will be covering the OWASP Top 10 in the context of PHP.

http://www.owasp.org/index.php/Columbus

http://www.isaca-centralohio.org/

1. After the completion of the link establishment phase, the authenticator sends a “challenge” message to the peer. (The AP issues a random 8-byte challenge)
2. The peer responds with a value calculated using a one-way hash function. (The endpoint encrypts the 8-byte challenge 3 times, using the NT hash of their password as seed material.  The endpoint then joins the 3DES outputs as a single 24-byte response.)
3. The authenticator checks the response against its own calculation of the expected hash value. If the values match, the authenticator acknowledges the authentication; otherwise it should terminate the connection. (The AP issues a success or failure message.)

Sniffing the air, we can observe this challenge and response process. Using Wireshark to analyze our wireless packet capture, we are able to collect these strings. We can then perform an offline dictionary and brute force password guessing attack against using John the Ripper.

I am going to assume you have already identified that LEAP is the authentication method being used, and that you have sniffed the wireless network obtaining the resulting packet capture files.

Load your packet capture file in Wireshark. We are going to use a filter so that we are only looking at the LEAP exchanges in Wireshark. In the filter field, enter this, and click Apply.

• eap.type eq 17

LEAP sends the user identity information over the air in clear text. We are going to grab the username, the challenge, and the response from Wireshark.

Then, we are going to copy these values in to a text file. In our text file, we are going to use this format.

• username::::response:challenge

Before running John the Ripper, you will increase your chances of quick success if you do two things. The first is build a dictionary that includes likely words your target could use. Include key words from your target’s website. Think about local sports teams. The second is configuring John to reflect the target’s password policy if you are privy to that information. If the target can only have 7 to 8 character passwords, spending time brute forcing anything else is a complete waste.

Save the file above in the John directory, run john requesting the NETNTLM format, and give it your text file.

• ./john –format=NETNTLM file.txt

John will make three passes against your input. It will run your dictionary, then your dictionary with appended characters, and finally a brute force attack. Press the space bar as john is running to see progress. The (1) (2) (3) will tell you which stage John is performing. Stage three will take a long time.

References:
Chapter 6 of Ethereal “Wireless Sniffing with Wireshark”
http://www.willhackforsushi.com/books/377_eth_2e_06.pdf

Wireless Security
http://en.wikipedia.org/wiki/Wireless_security

Cisco Security Notice: Dictionary Attack on Cisco LEAP Vulnerability
http://www.cisco.com/warp/public/707/cisco-sn-20030802-leap.shtml

Weaknesses in LEAP Challenge/Response
http://www.securityfocus.com/archive/1/340365/2009-08-06/2

John the Ripper Tutorial
http://juggernaut.wikidot.com/jtr

John the Ripper Patches
http://openwall.info/wiki/john/how-to-extract-tarballs-and-apply-patches
http://www.openwall.com/john/
ftp://ftp.openwall.com/pub/projects/john/contrib/

The last day of DEFCON….

10:00-10:50 Track 1
Hello, My Name is /hostname/
Endgrain, Dan Kaminsky and Tiffany Rad
@dakami @tiffanyrad

11:00-11:50 Track 1
eXercise in Messaging and Present Pwnage
Ava Latrope

12:00-12:50 Track 1
Unmasking You
Joshua “Jabra” Abraham and Robert “RSnake” Hansen
@jabra @RSnake

13:00-13:50 Track 3
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
“Palako”

14:00-14:50 Track 2
Slight of Mind: Magic and Social Engineering
Mike Murray and Tyler Reguly
@mmurray @treguly

15:00-15:50 Turbo/Breakout Track
USB Attacks: Fun with Plug and Own
Beth, Noid and Nick Farr

16:00-16:50 Track 3
Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High
Matt Weir

Here is the tentative talk schedule for Saturday. Long live Metasploit.

10:00-10:50 Track 2
Breaking the “Unbreakable” Oracle with Metasploit
Chris Gates and Mario Ceballos
@carnal0wnage @_mc_

11:00-11:50 Track 2
Using Guided Missiles in Drive-Bys: Automatic browser fingerprinting and exploitation with Metasploit
Egypt
@egyp7

12:00-12:20 Track 2
Metasploit goes Web
Efrain ‘ET’ Torres

13:00-13:50 Track 4
Injectable Exploits: Two New Tools for Pwning Web Apps and Browsers
Kevin Johnson, Justin Searle and Frank DiMaggio
@secureideas @meeas

14:00-15:50 Track 2
MetaPhish
Valsmith, Colin Ames and David Kerb
@attackresearch

15:00-15:50 Track 4 (Overlap)
Hijacking Web 2.0 Sites with SSLstrip—Hands-on Training -
Sam Bowne
@sambowne

15:30-16:00 Track 2 (Overlap)
MSF Telephony
|)ruid

16:10-16:40 Track 2
Metesploit Evolved Meterpreter Advances hacking the Next Internet
HD Moore
@hdmoore

16:50-17:20 Track 2
MSF Wifi
Mike Kernshaw

17:30-1800 Track 2
App Assesment the Metasploit Way
David Maynor

18:00 (undecided)
Track 3
Preparing for Cyber War: Strategy and Force Posture in the Information-Centric World
Dmitri Alperovitch, Marcus Sachs, Phyllis Schneck and Ed Skoudis
@edskoudis
OR
Track 4
The Middler 2.0: It’s Not Just for Web Apps Anymore, Jay Beale and Justin Searle
@jaybeale @meeas