Web Security Training

Navigating the web security landscape

Navigating the web security landscape


The websec digest #12

The websec digest gives you a filtered overview of noteworthy incidents, interesting technologies and upcoming events. This edition's headline is the DNS-based attack on a Brazilian bank that resulted in a complete takeover of their online presence.

While the attack on the Brazilian bank is not new, the details of the operation are only surfacing now. The attackers managed to compromise the bank’s DNS accounts, allowing them to change arbitrary settings. Since DNS is used to bootstrap all Internet traffic, this means that the attackers gained full control over all of the traffic between the customers and the bank.

With control over the DNS settings, the attackers could easily redirect traffic to their own servers. Since they appeared to be the legitimate owners of the domain, they could even get valid HTTPS certificates, allowing them to perfectly mimic the banking site. Such a sophisticated attack would probably even go unnoticed to the most seasoned security professionals.

This is an absolute nightmare scenario, and maybe a good warning to check how you protect access to your DNS settings?

WordPress had a couple of content injection vulnerabilities in the past few weeks. One of these issues was a Stored Cross-Site Scripting attack, which can have serious consequences. The full write-up is an interesting read, as it explains how the defenses that were in place could be bypassed using a carefully crafted URL. If you’re running a WordPress site, make sure to patch it to the latest version!

This nugget from the academic research community demonstrates how to turn signature-based antivirus software in an attacking tool. In the paper, the researchers show how to automatically infer the signature of malware. Whenever the antivirus software finds a file that matches this signature, it will see it as malicious, and take appropriate actions. As the researches demonstrate, this becomes problematic if someone would use such a signature as input (e.g. a URL, username, …), causing the entire log file to be deleted.

A couple of months ago, IoT became prominent in the security scene, because of the Mirai botnet. Last week, things have taken a turn for the worse, as IoT malware is starting to show destructive behavior. People have coined these attacks as PDoS, or Permanent Denial of Service. The malware uses similar entry points as Mirai, but then proceeds to brick the devices. Definitely a worrisome trend, but hopefully a good incentive to take security more seriously.

As usual, we conclude the digest on a positive note. In the past weeks, I came across two resources packed with security-relevant information. The first is a 30-page document titled The Basics of Web Application Security. The document covers a lot of aspects of building secure web applications, and definitely touches upon numerous important security practices.

The second resource is a guided tour of Cross-Origin Resource Sharing (CORS). The document starts with the Same-Origin Policy, and dives into CORS step by step. If you’re dealing with cross-origin XHR requests, this is a must-read!

Upcoming Events

Two highlights of upcoming events:

  • On April 24 and 25, you can attend the Web Security Essentials training course, which will show you where your applications are vulnerable, how you can protect them, and which best practices you should be applying today. Attending the course also means you get a free set of YubiKeys. More information and registration.
  • I have been invited to give a talk on building secure Angular applications at AppSec EU in Ireland. This is one of the most important web security conferences in Europe, so I definitely hope to see you there!

As usual, you can find the full list of events on my speaking page.


Comments & Discussion