How the attack works:

1. User navigates to your page, like button is embedded invisibly
2. As user moves mouse, JavaScript is used to keep the button beneath the user's cursor.
3. User clicks what they believe is a link on the page and "Likes" the attacker's content instead.
4. User doesn't see any notification of Liking the content, which results in a News Feed story.
5. News Feed contains mention of attacker’s content, which allows it to grow virally.

Twitter run into similar vulnerability last February then fixed by disabling iFrame embeds, but Facebook can't employ the same logic to detect clickjacking since the Facebook like is itself an iFrame. Very critical bug and we'll follow-up to see how Facebook will fix this, until that time watch your facebook account, some unwanted "likes" might be triggered if a website you visit use the vulnerability.

Posted by Hatem at 7:09 PM to Alert | Permalink | Comments (0)

Google released a new security tool Skipfish; a fully automated, active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes. The resulting map is then annotated with the output from a number of active (but hopefully non-disruptive) security checks. The final report generated by the tool is meant to serve as a foundation for professional web application security assessments.

Skipfish key features :

- High speed: pure C code, highly optimized HTTP handling, minimal CPU footprint - easily achieving 2000 requests per second with responsive targets.
- Ease of use: heuristics to support a variety of quirky web frameworks and mixed-technology sites, with automatic learning capabilities, on-the-fly wordlist creation, and form autocompletion.
- Cutting-edge security logic: high quality, low false positive, differential security checks, capable of spotting a range of subtle flaws, including blind injection vectors.

The second version 1.1 beta have just been released few hours ago. Available for Linux, FreeBSD 7.0+, MacOS X, and Windows (via Cygwin); under terms and conditions of the Apache License, version 2.0.

More information and download at http://code.google.com/p/skipfish/

Posted by Hatem at 10:03 AM to Tools | Permalink | Comments (3)

Inspekt is a PHP library that makes it easier to write secure web applications, and released under New BSD License. Inspekt acts as a sort of 'firewall' API between user input and the rest of the application. It takes PHP superglobal arrays, encapsulates their data in an "cage" object, and destroys the original superglobal. Data can then be retrieved from the input data object using a variety of accessor methods that apply filtering, or the data can be checked against validation methods. Raw data can only be accessed via a 'getRaw()' method, forcing the developer to show clear intent.

Inspekt is built upon Chris Shiflett's original Zend_Filter_Input component (now deprecated) from the Zend Framework. Main features include :

• 'Cage' objects that encapsulate input and require the coder to use the provided filtering and validation methods to access input data
• Automatic application of filtering as defined in a configuration file
• A library of static filtering and validation methods
• A simple, clear API
• No external dependencies

A sample usage of Inspekt :

Posted by Hatem at 8:14 PM to Tools | Permalink | Comments (2)

This April 1st will be not funny at all for security experts. We are at D-1 and until today nobody knows what this worm so called Conficker C can really do ! It can damage your computer, your data, steal private information, none knows ! All we know until today that at D-Day all infected computers will be under control of a master computer located somewhere across the web.

Conficker which have been discovered the first time on November 21, 2008, seems to be the worst infection since the SQL Slammer. Estimates of the number of computers infected range from almost 9 million PCs to 15 million computers. On March 27, 2009, the British Director of Parliamentary ICT released a (leaked) memo stating that the House of Commons computer network has been infected with the virus and called for all people who have access the network to use caution and not to connect any unauthorized equipment to the network.[

Conficker is clever in the way it hides its tracks because it uses an enormous number of URLs to communicate with HQ. The first version of Conficker used just 250 addresses each day -- which security researchers and ICANN simply bought and/or disabled -- but Conficker C will up the ante to 50,000 addresses a day when it goes active, a number which simply can't be tracked and disabled by hand.

You can read more about this worm on wikipedia, CNN.

Posted by Hatem at 7:18 PM to General | Permalink | Comments (0)

HTML Purifier is a standards-compliant HTML filter library written in PHP. HTML Purifier will not only remove all malicious code (better known as XSS) with a thoroughly audited, secure yet permissive whitelist, it will also make sure your documents are standards compliant, something only achievable with a comprehensive knowledge of W3C's specifications. Tired of using BBCode due to the current landscape of deficient or insecure HTML filters? Have a WYSIWYG editor but never been able to use it? Looking for high-quality, standards-compliant, open-source components for that application you're building? HTML Purifier is for you!

You can find a very intersting comparaison of HTML Purifier with other HTML filtering solutions such as striptags, PHP Input Filter, HTML_Safe, kses, htmLawed, and Safe HTML Checker. HTML Purifier is available under LGPL license, the key features include whitelist, removal, well-formed, nesting, attributes, xss safe and standard safe. More informations and download at http://htmlpurifier.org

Posted by Hatem at 9:48 PM to Tools | Permalink | Comments (1)

To keep your database safe from SQL injection attacks, GreenSQL is a new Open Source database firewall that you might give a try. GreenSQL works as a reverse proxy and has built in support for MySQL. The logic is based on evaluation of SQL commands using a risk scoring matrix as well as blocking known db administrative commands (DROP, CREATE, etc). GreenSQL is distributed under the GPL license.

GreenSQL Architecture

GreenSQL Web Frontend

In addition to black list patterns that are used to block SQL, GreenSQL have also a white list. If the query is considered illegal - whitelist is check. If it was found in the whitelist, it will be redirected to genuine MySQL server. If it was not found, an empty result set will be send to application. The project is written in C++ and PHP. You can find a demo online to see how GreenSQL looks like. Download is also available from sourceforge.

Posted by Hatem at 6:31 AM to Experience | Tools | Permalink | Comments (0)