Friday 20 January 2012

An update on my research into attacking Security Gateways via the Web UI – and Blackhat Europe

I haven't written much on my blog for the past few months. This is because I have been very busy with my exploit-development research.

A while back I had the idea to combine web-attacks with Security Gateways, mix things up, and see what happens. This has been very productive, and a lot of fun.

In short, over the past 4 months, I have raised 30+ PoC exploits with vendors of Security Gateways. I have looked at quite a few Gateway products, and discovered serious vulnerabilities in almost all of the ones I have investigated.

Whilst Security Gateway products provide good security features for the protocols and services they protect, if a gateway product is not secure in itself, it can be attacked directly and compromised.

If an attacker can gain control of the gateway of an organization, this is a very powerful position for further attacks; such as traffic-sniffing and powerful man-in-the-middle attacks, disabling network protections, and pivoting the attack to target other systems and users on the internal network.




We often take the security of security-software for granted, assuming that – because the software has come from a company that understands security, then the product is very likely to be secure.

This is frequently an incorrect assumption in regard to Security Gateway UIs, as usually the developers that design, code and test the UI are not “security” people, and are more focused on UI design, functionality, usability, supportability and branding, than on security.

There are a huge variety of web application attacks that have been historically used against public-facing websites and their users. Many of these attacks are transferable to web-based product UIs, and this can have a very interesting impact when applied to Security Gateway UIs.

Most of the serious issues I have found in Security Gateway products have been caused by one or more of the following:
  • Lack of input-validation (leading to attacks such as XSS and Command-injection)
  • Predictable URLs and parameters (and therefore CSRF)
  • Excessive privileges of running services
  • Direct file browsing
  • Session-management issues
  • Weak session-tokens
  • Password Guessing
  • Authentication bypass
  • Verbose information disclosure
  • Out-of-date 3rd party software
  • Arbitrary file upload
  • Standard installs with poor configurations
  • Trivial Denial of Service vulnerabilities

I am currently working to complete a white-paper detailing some of the common findings, and I have recently been informed that I have been accepted to speak at Blackhat Europe on this subject. I will release the white-paper at Blackhat, so more information to come...




... and if you are going to Blackhat Europe, I might see you there!

2 comments:

  1. Hey Guys !

    USA Fresh & Verified SSN Leads with DL Number AVAILABLE with 99.9% connectivity
    All Leads have genuine & valid information

    **HEADERS IN LEADS**
    First Name | Last Name | SSN | Dob | DL Number | Address | City | State | Zip | Phone Number | Account Number | Bank Name | Employee Details | IP Address

    *Price for SSN lead $2
    *You can ask for sample before any deal
    *If anyone buy in bulk, we can negotiate
    *Sampling is just for serious buyers

    ==>ACTIVE, FRESH CC & CVV FULLZ AVAILABLE<==
    ->$5 PER EACH

    ->Hope for the long term deal
    ->Interested buyers will be welcome

    **Contact 24/7**
    Whatsapp > +923172721122
    Email > leads.sellers1212@gmail.com
    Telegram > @leadsupplier
    ICQ > 752822040

    ReplyDelete
  2. QUALITY SSN DOB DL HIGH CREDIT SCORES Leads
    CC with CVV Fullz (USA, UK, CANADA)
    Tutorials & E-Books For Ethical Hacking
    Tools For Everything You Need

    I'm On Telegram = @killhacks & I C Q = 752822040

    Stuff available for
    (Spamming, Carding, Ethical Hacking, LINUX, Programming, Scripting, etc. )

    Deals in all kind of Tools, Tutorials, E-books, Leads/Fullz/Pros
    Availability 24/7
    FASTEST DELIVERY

    Build Your Own Business with proper guide & Legit Tools
    Always glad to serve

    GOOD LUCK
    Here I'm:
    I C Q = 752822040
    Tele-gram = @killhacks

    ReplyDelete