OWASP Top 10 (2017 Release Candidate) - Thoughts

OWASP Top 10 2017 Release Candidate - PDF

I understand the importance of highlighting the Underprotected APIs (A10), and I do agree with the importance of it. However, to my eyes this is another stage during a security assessment, while the penetration tester is engaging into testing for different types of Injections (A1). 

I believe Injections (A1) should include the Underprotected APIs.
(especially based on the example attack scenarios given in the PDF page 17 for the Top 10 RC)

From what I have seen on several real-world projects, Unvalidated Redirects and Forwards, is a very common security issue (when you manage to identify where it is hiding) but it is not highlighted in security reports (and penetration testing reports) that often. Thus, it seems and fills like, it is not that popular as a finding. 

One of the main reasons this particular security issue is not mentioned that often, is because businesses (the business perspective) see this highlighted risk as a "two-step attack", so, instead of addressing it, they simply "accept the risk".

From what I have seen in different real-life projects, dropping "A10 – Unvalidated Redirects and Forwards" will be mistakenly perceived (misunderstood) as an "insignificant" security issue, while, it can be used to spawn a number of attacks. 

If an attacker manages to redirect/forward a user to a fraudulent website (that looks exactly like the legitimate one), then it is game-over for that user. How many of you remember the issues with the Unicode URLs back in the day? In one case, two companies lost a significant amount of money because of a fraudster, due to this "insignificant" issue.

Just to mention a couple very recent examples: 
punicode https://www.wordfence.com/blog/2017/04/chrome-firefox-unicode-phishing/
or the unvalidated redirect on linkedin, which allowed to download malware from linkedin redirects (even though they were hashing the urls).
https://gfragkos.blogspot.co.uk/2015/06/linkedin-security-issue-unvalidated.html

So, in my humble opinion, A1 should be Injections that include calls to Underprotected APIs: 
A1 - Injections, including Underprotected APIs

and keep:
A10 - Unvalidated Redirects and Forwards. 

This blog post is intended to be perceived as food-for-thought.

Xcode update is stuck at waiting

This is something that happens often and I wanted to make sure you are going to fix this the right away, without causing any problems to your system and save you some time. 

This was written for Xcode 8.3 (but it has worked for previous versions as well) and it is confirmed that it works on:
OS X 10.10 Yosemite, OS X 10.11 El Capitan, and macOS 10.12 Sierra.

I am assuming that you are at your Updates screen and Xcode is stuck at "waiting". Click on Xcode (the actual name/caption of the pending update) and the relevant page of Xcode on App Store will show (see below). 

When you click the Update button (beneath the application icon on App Store), a little progress bar appears beneath it, and it usually tells you "less than a minute" (but it is stuck there forever). 

Don't navigate away from this screen on App Store, because we want this little progress bar to be our indicator on what is happening. 

• Open a new Finder window and click Applications (top left hand side). 
• Scroll down to the Xcode application and drag the application to Trash.
• You will be asked to confirm your password before moving Xcode to Trash.
• Once you enter your password, there will be a prompt asking you if you want to cancel the update or delete the app. Choose delete. 
• You will notice that immediately after clicking delete, xcode starts downloading the updated version, and you can see/confirm that at the progress bar (as discussed earlier on) and it will tell you how long it will take (it can take an hour, depending on your Internet connection).
• (optional) If you want to save some space on your disk, go to Trash, right-click on xcode, and delete it completely from the system. It will ask you again to confirm your password. 

Don't forget to plug-in your computer, as the whole process takes a while, and the computer might go to sleep and suspend the download and/or the installation. 

IBAN Country List

IBAN (International Bank Account Number) that originates from a member or joining country of the EU or the EEA. FYI: Switzerland and other countries that have adopted the use of IBAN. 

A couple things about the IBAN

Instructions for Screen or Braille Reader users

• This IBAN Checker validates the format of an IBAN which you can either type or paste into the input boxes.
• The results of validation are normally shown on the screen. To receive the IBAN Checker results in a dialogue box that your screen reader should be able to interact with, check the first checkbox that you come across in the form. The prompt for this box reads 'Screen reader users please check this box to receive the results of the IBAN Checker as a dialogue box'.
• Two sets of input text boxes are provided for you to enter your IBAN for checking.
  • The first set of nine input text boxes allow you to type in the IBAN four characters at a time.
    • You will need to tab from one text box to the next.
    • Each text box will only allow a maximum of four characters.
    • The IBANs have a specific format, and some possible formatting errors are detected as you are keying characters into these text boxes.
    • These errors are notified to you in dialog boxes with an OK button which you must action before you carry on.
    • When you action these dialogue boxes you should be aware that incorrect input is not cleared out of the input text boxes.
  • After the multiple input boxes there is a single longer input box into which you can type the complete IBAN. Or alternatively you can paste the IBAN into this box if you have received it electronically - ie in an email.
  • Typing into any of the multiple input text boxes will clear out any characters you may have typed or pasted into the longer input text box.
  • Similarly typing or pasting into the longer text box will clear out any characters you may have typed into the multiple input text boxes.
• Two buttons are provided on the form.
  • The first button triggers the checking of the IBAN you have entered.
  • The second button clears out all the input text boxes.

- Each IBAN has a predefined length (depending the country it belongs to).
- Each IBAN has a country prefix.
- The IBAN should not contain spaces when processed electronically (or the word 'IBAN').

In case someone needs this information, I will just leave that list below :)

Ticketbleed (CVE-2016-9244)

A vulnerability similar to the well-known heartbleed was discovered in the TLS/SSL stack of F5 BIG-IP appliances that allows a remote attacker to extract up to 31 bytes of uninitialized memory at a time. This vulnerability is called Ticketbleed as it lies in the implementation of Session Tickets, which is a resumption technique used to speed up repeated connections. The vulnerability affects the proprietary F5 TLS stack which exposes 31 bytes at a time.

F5 published article K05121675 addressing this vulnerability. You can read the story of how Ticketbleed was found and a complete technical walkthrough on the Filippo.io blog.

Test
You can test your domain using the automated script which you can find at: https://filippo.io/Ticketbleed/

Alternatively, you can test for Ticketbleed yourself with a Go script: here

Fixes and mitigation
The full list of affected versions is available on the F5 website. At the time of this public disclosure not all releases have upgrade candidates available.

Disabling Session Tickets is a complete mitigation, which will only cause a performance degradation in the set-up phase of resumed connections.

Reproduced here are the instructions provided by F5 and available at the link above.

1. Log in to the Configuration utility
2. Navigate on the menu to Local Traffic > Profiles > SSL > Client
3. Toggle the option for Configuration from Basic to Advanced
4. Uncheck the Session Ticket option to disable the feature
5. Click Update to save the changes

Source: https://filippo.io/Ticketbleed/

Guest Speaker for University of South Wales (Information Security Research Group) - InfoSec Community; Stepping into the security industry

I had the pleasure to be invited as a guest speaker to the University of South Wales by the Information Security Research Group (ISRG). The talk was about the Information Security community and more specifically how young professionals can step into the security industry.

During this talk, the students (graduates & postgraduates) had the opportunity to understand and discuss what they can do today in order to ensure they are well prepared when it comes to stepping into the security industry.

The talk included an introduction to what is considered to be a security oriented mindset, provided a number of quick tips, mentioned several online resources, and last but not least how to prepare for an interview. The students among a number of subjects that were raised during the talk, were also introduced to penetration testing types, practices, methodologies, real stories from the industry, tools, and techniques. Black Box testing versus White Box testing was explained, the significance of white-listing was discussed and a brief comparison between Vulnerability Assessments and Penetration Testing was given.