Tag: web apps

Upcoming Features of Subresource Integrity 2.x

Gabor

As a response to the growing number breaches involving CDNs, the first release of the Subresource Integrity (SRI) was published hastily in late 2015. The W3C WebAppSec Working Group decided to leave certain useful features out, in favour of an early release. Although SRI already does the job, there is some room for improvement with regards to user experience. The good news is that some of these features will be added to the next iteration of SRI.

The following article gives a brief, speculative overview of the upcoming features of Subresource Integrity.

Read More

Scanning Sites for SRI Usage with sritest.io

Scanning Websites for SRI Hash Usage with sritest.io

Gabor

Third-party hosted website assets, such as JavaScript libraries, are vulnerable to tampering. However, a new technique named Subresource Integrity (SRI) is here to protect these external assets.

One problem is the slow implementation of SRI, thus sritest.io was born. The new service enables website owners and frontend developers to evaluate their sites for SRI hash usage. Sritest.io aims to help the widespread implementation of SRI, thus, ultimately protect website visitors from malicious code.

Read More

Bypassing WordPress Login Pages with WPBiff

Gabor

Two-factor authentication protected WordPress login pages can be bypassed because of certain unsafe NTP practices.

The Internal clock of remote servers can be manipulated under the right conditions. Because certain WordPress Google Authenticator plugins also rely on the local timestamp, it opens up new ways to circumvent the user authentication process on the /wp-admin dashboard.

We demonstrate a practical attack against two-factor protected WordPress login pages. We are going to gain access to the dashboard without having access to the token generator app.

Read More

Tricking Google Authenticator TOTP with NTP

Gabor

Because of unsafe NTP practices, internal clocks on remote machines can be manipulated under the right conditions. Once time is altered, expired SSL certificates become valid again and causes HSTS policies to expire.

But what about authentication? Certain TOTP implementations such as popular WordPress plugins also rely on the local timestamp.

This article demonstrates a proof of concept for accessing two-factor authentication protected WordPress dashboards.

Read More

War Room

Checklist for Incident Response Teams

Gabor

Forming a Computer Security Incident Response Team (CSIRT) is a complex affair. It normally involves a certain combination of staff, processes and technologies.

However the essentials are the same in most situations, no matter what the mission of your CSIRT is. This publication attempts to provide a list of must-have technologies for all forming incident response teams out there.

Read More