Archive for January, 2009

All-In-One HTML + Javascript + CSS Formatter

Thursday, January 29th, 2009

I do a lot of pen testing on web applications. From time to time, I have to analyze and understand how the web page code works. However, my task becomes complicated as web applications typically use some sort of source code compression. This makes it very hard to understand the code and hampers the readability to a large extent.

A web page is composed of three major content types, namely HTML content, Javascript Code and CSS styling code. I felt the need of a tool that could beautify or format the entire web page source code. I use Burp Suite, my favorite web proxy tool. However, it does not have source code formatting feature, it just colors the web page by choosing different colors for html tag names, html attribute values, javascript, css, etc.

I looked on the internet for free alternatives, but I could not find free tools that could format the entire web page. Most of them could only format either one of HTML or Javascript or CSS. So, I decided to write a perl script myself. I used the libraries HTML::Tidy by Dave Raggett and Javascript::Beautifier by Einars Lielmanis. And I have written my own CSS formatting code.

Example of HTML Formatting

Example of CSS Formatting

Example of Javascript Formatting


In addition, I have done one more improvement by formatting the javascript code in html event handlers. I picked the comprehensive event handlers list from XSS Attacks Book by RSnake, Jeremiah, Pdp, Anton Rager and Seth Fogie. Another excellent book to have on your shelf.

Example of Event Handler Code Formatting (see the onload and onclick event handlers)


And finally the …

Inferno’s All-In-One HTML + Javascript + CSS Formatter
Paste your Source Code below

I would advise trying any of the search engines’ source code like google, yahoo, etc. Their code is highly compressed. If you have any problem using the text box above, try using this Link.

Plans for future additions include
* Add custom event handlers and variables (e.g. expr variable in Samy Worm Code)
* Javascript Deobfuscation
* More configuration Options
* Burp Proxy Plugin

Please provide your valuable suggestions to improve this tool. This tool is completely free for your use.

Share:
[del.icio.us] [Digg] [Facebook] [Google] [LinkedIn] [Reddit] [StumbleUpon] [Technorati] [Twitter] [Yahoo!] More »

Tags: , , , , ,
Posted in General, Solutions, Tools | 2 Comments »

Easy Server Side Fix for the GIFAR security issue

Saturday, January 24th, 2009

The GIFAR issue was found by security researchers Billy Rios and Nate Mcfeters. To summarize the exploit, an attacker uploads a malicious image with embedded jar content on a target domain. This malicious image opens in any image viewer correctly and so it bypasses any content validation engine used by a web application. Then an attacker references this malicious image in the applet code on his or her evil site, establishing a cross-domain communication channel with the target domain. This attack is very serious because it breaks the Same Origin Policy principle. Also, this problem is not just confined to images, it is applicable to other file types such as doc, etc. Another great writeup on Jar File Issues is on pdp’s blog.

In Billy’s Blog, two solutions have been discussed :-

Solution 1. Update to the latest version of JRE. This will protect you. However, if I am a web application writer, I cannot ensure that my customers will be protected. The reason is I cannot control the JRE version that my customers will be running on their client machines. The JRE updates don’t work like Windows Updates. So their obsolete JRE environments will not get automatically updated, which leaves them vulnerable to cross-domain exploits. So, Billy discusses another solution for the application writer.

Solution 2. Serve user controlled files from a “throw away” domain. However, having a separate domain might not be feasible at all times, for reasons such as cost, management issues, etc.

My Solution. This made me think of some solution that could help an application developer to filter malicious jar content on the server side. If the application is able to restrict the upload of malicious files, it solves the problem on the server side without worrying about which version of JRE the client is running. I found the api JarFile in Java library java.util.jar to be extremely useful. It takes as input a file parameter, and returns a JarFile object if the input file has jar content. Otherwise, it raises a java.util.zip.ZipException exception.

I have constructed Proof of Concept code that tests a input file for malicious jar content.

import java.io.*;
import java.util.*;
import java.util.jar.*;

public class DetectGIFAR {
    public static void main (String args[])
         throws IOException {

		if(args.length != 1)
		{
			System.out.println("Usage: java DetectGIFAR image_file");
			System.exit(1);
		}

		try
		{
			JarFile jarFile = new JarFile(args[0]);
			System.out.println("This is a malicious image with embedded jar content.\nFollowing are the contents:-");
			Enumeration jarenum = jarFile.entries();
			while (jarenum.hasMoreElements()) {
				JarEntry jarent = (JarEntry) jarenum.nextElement();
				System.out.println(jarent.getName() + ", " + jarent.getSize() + " bytes");
			}
		}
		catch(java.util.zip.ZipException e)
		{
			System.out.println("This is a benign image file. No jar content detected.");
			System.exit(0);
		}
		catch (Exception e)
		{
			System.out.println("Error occured. Unable to process GIFAR contents.");
		}
	}
}

DetectGIFAR.java, DetectGIFAR.class, titanic.gif, evil.gif

Below is sample output

And if you are new to the GIFAR exploit, below is example html applet code that loads a malicious gif hosted on my domain. You need to have the vulnerable JRE 1.6 update 10 or lower to see this applet running. You can play with this applet by typing anywhere inside it :) .

Let me know your thoughts and opinions on this server side fix. I am always open for discussions.

Share:
[del.icio.us] [Digg] [Facebook] [Google] [LinkedIn] [Reddit] [StumbleUpon] [Technorati] [Twitter] [Yahoo!] More »

Tags: , , ,
Posted in Solutions, WebAppSec, XSS | No Comments »

Welcome to Inferno’s Blog !!

Friday, January 23rd, 2009

Hello Everyone,

I am “Inferno” from California, United States. I have just started my blog this week. It will be all about my research and knowledge in the application security area, especially concentrating on web application security.

I am deeply inspired by works of Security Researchers – Robert “RSnake” Hansen and Jeremiah Grossman, and follow their blogs closely, just like most people in the web app security space :) .

My Email Address is Inferno {at} SecureThoughts.com

Share:
[del.icio.us] [Digg] [Facebook] [Google] [LinkedIn] [Reddit] [StumbleUpon] [Technorati] [Twitter] [Yahoo!] More »

Posted in General | No Comments »