lookout.net

Chris Weber's personal homepage

Articles

While most other families were sensibly sitting on a warm beach in Hawaii, I took my daughters on a road trip across Washington State for... This guide is meant to be a quick look at some of the risks facing you and your kid as they start going online with... I'm writing a series on building an SDL program, the plans, the unexpected, the gotchas, and the good stuff. Security Development Lifecycle (SDL) is a... So I've been touring middle schools in Seattle, a bunch of them, and one thing kept sticking out at me. I'd walk into these classrooms,... Ok, it was really difficult to take 8000 photos, down to 800 good ones, down to 100 really good ones, and pull out just 10... From April 2014 through September 2015 we have had four total lunar eclipses, a rare sequence not seen since 2003 and not to be seen... We've been wanting to trek up to Tofino, BC, on Vancouver Island, for many years, and we finally made it. I've not been to such... The Unicode Confusables have long been of interest in testing security of applications and social engineering. I work with Unicode often in tools and testing,... This year was our annual daddy-daughter backpacking trip that some good friends and I have been doing since our girls were five years old. This... People thought it was neat when Amazon announced drone delivery.  I think many of us don't realize or believe half of the technology headed our... The Washington Post has reported that the NSA is tracking location data for millions of mobile devices."Brad Smith, Microsoft legal counsel, said government snooping was... Back in 2001, I was just one of many warning that the PATRIOT Act gave broad authority to track people. This is what I wrote... Oftentimes, I want to break software, mostly Web applications, but occasionally platform-related, such as protocols or OS code.  When it comes to testing string input... I often get asked by friends and family - how can I keep my personal information online and private at the same time?  Is it... URLs are a cornerstone protocol of the Internet and the Web, but they are often misunderstood, occasionally abused, and quite often manipulated during security testing.  I've put... The Unicode Consortium released a utility to generate confusable strings quite a while ago. Since I've seen people trying to create similar tools themselves recently,... In some contexts, normalizing a string means upper or lower-casing it. In Unicode "normalization" means something much different. The Unicode standard offers four "normalization" forms... Note: To jump straight to test page click here http://www.lookout.net/test/charsets/ascii-unsafe/Web browsers support a variety of character set encodings mostly for legacy reasons and backwards compatibility.... Note: To jump straight to test page click here http://lookout.net/test/charsets/ascii-unsafe/[UPDATE: Some feedback from Anne van Kesteren pointed to the fact that all browsers do support HZ-GB-2312,... Note: jump straight to the test page for navigator.registerProtocolHandler and web+ if you'd rather...A URI (Uniform Resource Identifier) is easily the most recognizable protocol element... To continue on with the discussion about THE RISKS OF USING “ESZETT” OR “SHARP S” (“SS”) IN DOMAIN NAME - this character is just one of... With the transition from IDNA2003 to IDNA2008, there will be four characters that deviate in how they're handled.  Meaning that when they are used in... In IDNA-aware (IDNA2003) applications, the "dot" character we see in domain names like www.example.com has several equals.  Specifically the following characters are all equivalent under... I just learned about this proposed feature of HTML which as Anne van Kesteren noted is not in HTML5 at the moment but might be... I just thought this was odd, and may be exploited in cases where a security filter checks the string before the conversion takes place.Here are... WARNING: Some of these characters may cause strange things to happen in your software.Of course, that's the point right?  Here's a minimal set of special... Secure Sockets Layer (SSL) is a peer to peer (or client to server) communication protocol designed to encrypt the data being transmitted between two computers... Today I was asked if ESAPI's approach to sanitizing log messages for CRLF (carriage return, line feed) injection was sound. "CRLF Injection" in this case... I'm attaching two CSV files for use in test cases and tools.  The uni2asc.csv contains all of the Unicode characters that map to something ASCII... Opera released 10.01 recently, which fixed a memory corruption issue found with Casaba’s IDN/URI fuzzer.http://www.opera.com/support/kb/view/938/ At Black Hat I’m planning to demo a new tool we’ve been putting together at Casaba Security. It’s mostly a brute force input testing tool... More from: http://support.apple.com/kb/HT3613CVE-ID: CVE-2006-2783Available for: Mac OS X v10.4.11, Mac OS X Server v10.4.11, Mac OS X v10.5.7, Mac OS X Server v10.5.7, Windows XP... Update from: http://support.apple.com/kb/HT3613CVE-ID: CVE-2009-0153Available for: Windows XP or VistaImpact: Maliciously crafted content may bypass website filters and result in cross-site scriptingDescription: An implementation issue exists... As I’ve found with most of the major Web-apps out there, including social media giants like Facebook and others, Unicode support is far from complete.... Big ones from Apple today: http://support.apple.com/kb/HT3549CVE-ID: CVE-2009-0153Available for: Mac OS X v10.5 through v10.5.6, Mac OS X Server v10.5 through v10.5.6Impact: Maliciously crafted content may... Best-fit mappings are another complex topic in Unicode, easily overlooked or misunderstood.  On the defensive side, if you can only remember two things: Converting to... I believe this is still getting tested by several parties, but it’s obviously a highly optimized implementation of a UTF-8 decoder. Bjoern Hoehrmann released his... When it comes to fuzzing parsers, protocols, and other software, I want the fuzzer to be capable of producing tests specific to Unicode. Here’s what... Normalization, like casing operations, can cause changes to the number of characters and bytes in a string. In testing software, I want to know how... CERT released the advisory for this, which I believe is not being fixed by Lenovo/IBM.http://www.kb.cert.org/vuls/id/340420This ActiveX control comes preinstalled on many Lenovo systems, and is... One issue I’ve come across, pretty infrequently, is the existence of ill-formed UTF-8 byte sequences in HTML content. As far as I can tell nobody’s... I announced Watcher at CanSecWest and I’m happy to say IE8 Security Program Manager and Fiddler author Eric Lawrence also announced our it at MIX09... Point: Normalizing strings after validation is dangerousImpact: filter evasion, enabling code executionAre you testing a Web or other application in attempt to bypass restrictions on... Richard Ishida has an online character lookup tool which is very nice. It’s called Uniview and it’s comparable to Babelmap in some functionality but it’s... I had the chance to present to the ICANN Security and Stability Advisory Committee during their ICANN Mexico conference. It was an opportunity to give... Aside from the frightening SSL stuff, Moxie Marlinspike stirred up some good interest in Internationalized Domain Names at Black Hat in DC with his domain... Internationalized Resource Identifiers (IRI's) are a new take on the old URI (Uniform Resource Identifier), which through RFC 3986 restricted domain names to a subset... More on lookalikes, confusables, IDN homograph attacks, and other fun stuff, continued from the previous post. To recap, the three classes of confusables are:Single-scriptMixed-scriptWhole-scriptWhole-script confusables... More on lookalikes, confusables, IDN homograph attacks, and other fun stuff, continued from the previous post. Mixed-script confusables These occur when letters from one alphabet... Whole-script spoofingwww.аЬс.com using Cyrillic script for domain labelwww.ігѕ.com using Greek script for domain labelᎳᎳᎳ.lookout.net using Cherokee script for subdomain labelᗯᗯᗯ.lookout.net using Canadian script for subdomain... While researching the confusables it became apparent that this was just the sort of thing 13 year-old jokers would love. And still, there was more... More on lookalikes, confusables, IDN homograph attacks, and other fun stuff, continued from the previous post. The Confusables These types of visual attacks are attributed... Let's face it, playing tricks that mess with people's perception can be fun.  With Unicode, there's lots of fun tricks to be had.  What's to... Adobe released a patch and bulletin for an issue I reported back in May.  The issue is really in WebKit, and many products seem to... Damage: Filter evasion, cross-site scripting Exploit: Insert Unicode byte order mark (BOM) U+FEFF into javascript statements to bypass filters. Root Cause: character absorption/swallowing Product version:... BabelMap stays open anytime I'm testing Unicode-enabled software for vulnerabilities.  It's very useful for the advanced search - find all code points with the Zs category... We get into a dangerous situation when applications start implementing a standards-based specification that's still in flux.  I think it's made pretty clear in the... Just got back from the IUC in San Jose and wanted to post my slides. Log0 2008-09-18T06:35:47.000Z Interesting, your site ( casabasecurity ) is blocked... When it comes to Unicode implementations, there's a rich set of test cases to perform. Realizing it is the start. Automating it is the next... Damage: Filter evasion, cross-site scriptingExploit: Insert Unicode byte order mark (BOM) U+FEFF into HTML elements, attributes, or javascript statements to bypass filters and execute XSS.Root... Damage: Filter evasion, cross-site scriptingExploit: Bypass XSS filters, IPS/IDS, AV, or WAF's with specially crafted white_space characters to execute XSS attacks.Root Cause: Interpreting syntax replacementsProduct... Code2000 is a Unicode-based font supporting a great deal of the glyphs in Unicode 5.1, especially the really important ones like the Phaistos Disk and... It's time again to do some good ol' down home fuzzing on Windows and can't forget to enable full page heap checking, else I could... When I started digging into Unicode I was lost. It started to clear up for me when I eventually found a lot of terms that... Table 3.1B from Corrigendum #1: UTF-8 Shortest Form provides the basis for some interesting test cases. Hopefully I'll have something to report about this this... Finally an answer for mashups and cross-domain widget developers.  Also, a lovely attack surface for the security crowd.Now domain-x can communicate with domain-y legally.  John... Here's a few things to lookout for when auditing or security testing a Sharepoint/WSS/MOSS application, or when building one. But first: a new Microsoft MVP... I've been looking into this recently, and was inspired to write a bit more about this from Michael Eddington's post on the subject.By default, the... I know there's plenty of good work being done over at places like http://ha.ckers.com, and http://www.thespanner.co.uk/. I have been researching CSS 2.1 and testing some... I just learned about Guidance Explorer (from Alik Levin's blog), which has been out for about a year and a half now.  Looking for checklists... This is great:From: http://blogs.msdn.com/alikl/archive/2008/01/24/security-code-review-use-visual-studio-bookmarks-to-capture-security-findings.aspxSecurity Code Review – Use Visual Studio Bookmarks To Capture Security FindingsHow to streamline the process of capturing security flaws during security... In some automation testing I need to use window.open() to open new tabs rather than completely new browser windows. To do this in Internet Explorer... Been getting this question a bit lately. First off, what's an open redirect? It's a function in your application which sends the user to some... My colleague John Hernandez showed me this trick the other day, which has proven useful as an exploit in many cases. If the site returns... For Internet Explorer, there's Microsoft's Sitelock. For Mozilla, I'm not sure what there is... In that case, we've been working on some solutions that could... Open Protocol Specificationshttp://msdn2.microsoft.com/en-us/library/cc203350.aspxMicrosoft releases detailed specifications and reference documentation for many of the Operating System and Application protocols. HTML 5 differences from HTML 4http://www.w3.org/TR/html5-diff/A vocabulary and associated APIs for HTML and XHTML - the big spechttp://www.w3.org/html/wg/html5/Planet HTMLhttp://people.w3.org/mike/planet/html5/HTML 4.01 test suitehttp://www.w3.org/MarkUp/Test/HTML401/current/tests/HTML 4.01 specification including... Maybe you’re building internationalized code and wondering how to build a whitelist filter that will support all the different character sets your planning to support.... This is not new, but I needed it the other day and wanted to post it here for memory. In Microsoft's kernel debugger tool 'kd'... Came across this and just wanted to mark it in case I ever need it.  How to use the BitLocker Recovery Password Viewer for Active... The XSRF attack exploits the stateless nature of HTTP and your web application. In its essence, an attacker can trick you into taking an action... Uninformed is pleased to announce the release of its sixth volume.  This volume includes 3 articles on reverse engineering and exploitation technology.  These articles include:-... So we want to fuzz something SOAPy, again. Well here's how we're gonna do it. The approach I like to take with clients is a... Is it worth the time to run input fuzzing tests against web services? When engaging a client for a security review I'm often the one... When testing for XSS (cross-site scripting) issues, you often need to bypass filters and perform different sorts of encodings and other trickery. To be a... I do a lot of web app pen testing. Character encoding is always an important part of many input validation test cases. Some people don't... I worked on an application which had a couple of requirements: Allow users access to their local drive content within a defined scope (e.g. either... CSS 3CSS3 module: Syntaxhttp://www.w3.org/TR/css3-syntax/Introduction to CSS3http://www.w3.org/TR/css3-roadmap/CSS3 Basic User Interface Modulehttp://www.w3.org/TR/css3-ui/CSS3 Ruby Modulehttp://www.w3.org/TR/css3-ruby/CSS3 HTML test caseshttp://www.w3.org/Style/CSS/Test/CSS3/Selectors/current/html/index.html Cascading style sheets have been a good vector for cross site scripting (XSS) bugs lately. Especially as social networking sites move to allowing users more... ViewStateUserKey has been around for many years and is an easy solution to prevent the infamous XSRF or cross-site request forgery class of attack.It's documented:http://msdn2.microsoft.com/en-us/library/system.web.ui.page.viewstateuserkey.aspxViewStateUserKey... I had the pleasure of working with the Microsoft Office security test team on the new book Hunting Security Bugs released from MS Press. My... Sometimes during testing I just want to copy a strong-named assembly from a build machine to my worktop. However the assembly won't run if the... Interesting article about how user-mode code can access kernel address space and setup a call gateway descriptor GDT without using a driver.http://www.codeproject.com/system/soviet_kernel_hack.asp 1. The CSS attributes IE supports, including versioning:http://msdn2.microsoft.com/en-us/library/ms531207.aspx2. Dynamic properties using 'expression' to execute javascripthttp://msdn2.microsoft.com/en-us/library/ms537634.aspx#ImplementThis is a simple example of executing script through an expression... Presentation by Theo de Raadt Exploit Mitigation Techniques (updated to include random malloc and mmap http://www.openbsd.org/papers/ven05-deraadt/index.htmlTalks about stack gaps and W^X (write or execute) memory... Internet maps, wep application mapping, CAIDA images, and lots of very interesting technology and imagery for the cybernaught in each of us.http://www.cybergeography.org/atlas/It's a closed project...