Topics of Interest
- Application Protocol Fuzzing
- Cloud Computing and Virtualization
- Custom Applications and Attacks
- Cyber Warfare
- Data Center Planning and Consolidation
- DDoS and Botnet Simulation
- Deep Packet Inspection
- IPTV
- IPv4/IPv6
- Layer 2-7
- Network Traffic Generation
- Performance Testing
- Security Updates
- Server Load Testing
- VoIP
- 10/40/100 GigE
Devices
BreakingPoint LiveLook: QA for QA
We're back with another BreakingPoint LiveLook on this Friday morning. In today's video, Dennis talks to Chuck Summers about writing QA scripts for our network equipment testing products. The two of them also chat about work commutes and Friday beer, not to mention Chuck's plea at the end.
Clickjacking Technique Using the 'onmousedown' Event
A few weeks ago, Tod Beardsley wrote about (not) 'clickjacking' here on the BreakingPoint Systems blog. He covered a number of techniques to accomplish generating a 'popup' window without triggering any of the traditional popup protections that some browsers feature. The idea was essentially to cause the user to 'request' the popup, thus making it legitimate in the eyes of the browser. Later, he covered his speculation on the 'real clickjacking' attack, which didn't use JavaScript at all but rather did some interesting CSS overlay trickery to hijack a link out from under the user as they clicked on it.
During some research that I was recently performing that I'll likely post about a little later, I discovered another technique that's a bit of a middle-ground between the two methods that Tod was discussing in his blog posts. He came close to this one with his hooking of the 'onmouseup' event, however he was having it spawn a completely new window (the popup) in addition to following the link rather than 'jacking the click' and sending it somewhere entirely different. This is essentially the same type of event hooking technique, but it is used to accomplish actual replacement of the link's target URL.
The following JavaScript function accepts as arguments a link object such as you would find in the document object's links array and a URL that you want to override the original link's URL with:
function AddJacker(link, url) {
if ( link.addEventListener ) {
link.addEventListener("mousedown", function(e){link.href=url;}, false);
} else if ( link.attachEvent ) {
link.attachEvent("onmousedown", function(e){link.href=url;});
} else {
var oldhandler = link["onmousedown"];
if ( oldhandler ) {
link["onmousedown"] = function(e){oldhandler(e);link.href=url;};
} else {
link["onmousedown"] = function(e){link.href=url;};
}
}
}
What this essentially does is create an event handler for the 'onmousedown' event for the target link. When the user clicks on the link, the 'onmousedown', 'onclick', and 'onmouseup' events are fired. Since the 'onmousedown' event happens first, the event handler is called which replaces the link object's href value with the new target URL, which happens before the user is sent on their way to that link's target URL.
The interesting bit about this technique in comparison to the 'onmouseup' technique that Tod was using is that it doesn't result in the user both going to the original target as well as the new target; they are only redirected to the new target, completely overriding the original target. Like Tod's technique, because the new target URL is hiding in a function that is handling the 'onmousedown' event, a mouseover of the link in the browser indicates that it is still targeting the link's original URL. The replacement of the URL doesn't happen until the user actually clicks on the link.
Clickjacking Aftermath
To get new readers up to speed: In the middle of September, researchers Rsnake and Jeremiah Grossman were planning on a talk at OWASP regarding a purportedly new web attack dubbed "Clickjacking." At the request of Adobe, they withheld proof of concept code and salient details until a patch was available to help mitigate Clickjacking's effects. Within two weeks or so, Adobe did, in fact, release APSA08-08 for Flash. With that coast clear, Rsnake published his and Grossman's paper here, which lays out the gory details. No problem, since Adobe's patched now, right?
Hmm, not so much. Clickjacking -- the technique of incorporating obscured, invisible, or otherwise counter-intuitive links from external sources via iframes in order to trick users into clicking them -- affects much, much more than merely resetting Flash permissions. It's essentially a means by which malicious web site operators and web content authors can subvert the Same Origin Policy of web browser to get victims to perform actions on the attacker's behalf.
Firefox users can take some solace in Giorgio Maone's addition of ClearClick to his most excellent NoScript extension, however everyone else (which should be taken as, "pretty much everyone") needs to rely on their favorite sites taking their own countermeasures via frame busting, secondary authentication, or other mechanisms to avoid being driven via malicious iframes.
With this in mind, I decided to take a quick peek at Alexa's top ten web sites to see how they handled being an iframe source. The (completely harmless) test page is below if you'd like to see my tests and notes for yourself.
http://www.planb-security.net/notclickjacking/iframe_madness.html
The short story: Of the most trafficked web sites in the world, sensitive personal information editing functions can be trivially incorporated in an attacker's iframe. These results didn't come as a complete surprise, of course. However, I was kind of hoping these hugely popular site operators might have implemented something in the month and a half since Clickjacking made the news. I guess we'll just have to wait for the (inevitable) series of wildly successful, high-profile clickjacking-enabled attacks before the Googles, Yahoos, and Facebooks of the world take on the threat on their own properties.
10G = $9.5B Says Research Firm
According to a new report from Infonetics Research, the market for 10 Gigabit per second (10Gbps) networking equipment will grow to $9.5B in 2008...this is up from $7.3B just last year. That is quite the revenue jump, particularly in today's economy. Sean Michael Kerner at InternetNews.com has the full story which expands into the quest for 100 Gig Ethernet:
The researcher (Infonetics) is forecasting growth for 40G to have a compound annual growth rate of 59 percent from 2007 to 2011. Michael Howard, Infonetics' principal analyst and co-founder, said he expects service providers will take up 40G in the near term even though the faster 100G speed is also on the horizon.
100G is expected by Infonetics to start making inroads in 2009, though broader adoption and revenues are not expected until 2013, according to the study. Howard added that 100G is important as it will likely be in use until at least 2025.
In a conversation about these forecasts I thought our CTO Dennis Cox had an interesting comment:
"I think these predictions are a bit early; 10G in the back room, definitely, but you really need some 10G to the desktop (a minor portion at least) to make that much damage. Obviously, some applications are REALLY pushing bandwidth right now and bonding is getting much more common than even I thought it would become, so perhaps that is driving demand, which always skews analysts (in a good way). The other thing to think about; 10G chipsets are really expensive right now -1G is down to 40 bucks a port (which is really cheap) since 5 years ago it was 200 bucks a port."
Dennis is right, we are seeing 10G network equipment in the back room, and his look at the need up front and the chipset costs gel with many questions I have about these numbers. Since I do not have access to the report I'm not sure if Infonetics takes on the challenge that the delayed 40G/100G standard may pose, or the potential of an even steeper economic downturn. Would love to hear from Infonetics on this topic.
OK, here's your chance, tell me what you think of these predictions around 40G/100G, leave comments below or get involved with the conversation on Twitter.
Penetration Testing IPv6 & Infrastructure 2.0
Perusing the web today and found two interesting articles, both with a forward looking edge; some nice reading for you all on this Monday afternoon. The first comes from BreakingPoint's own HD Moore and it dives into Exploiting Tomorrow's Internet Today: Penetration Testing with IPv6. The paper takes a look at how IPv6-enabled systems "...with link-local and auto-configured addresses can be compromised using existing security tools". My first thought was to question the overall importance, since IPv6 has not been emphatically embraced, at least not compared to the promise. However, HD correctly points:
"Even though most networks are not “IPv6” ready, many of the machines on those networks are. The introduction of a new protocol stack introduces security challenges that are not well-known and often overlooked during security evaluations."
Check out the paper and let us know your thoughts; the end lesson for me: "Be Prepared".
The next article that caught my eye today was "The Next Tech Boom: Infrastucture 2.0" by Gregory Ness. Although I have a pet peeve concerning the moniker "2.0", Mr. Ness hits on some important points around static infrastructure, dynamic infrastructure and the players that sit within these camps. The piece dives into, among other topics, how network management costs will continue to rise and that the static players, particularly within a recession, must add more intelligence and automation to their devices and software. The author put it aptly in a reply to a comment I posted:
"They'll benefit from the spread of TCP/IP but not to the extent they could if they became more strategic to the emerging initiatives."
It would be interesting to add the testing factor into this equation for these industry players and how, with the obvious need to rapidly introduce content-aware network equipment, proper testing is not the only prerequisite. The testing itself must be automated, intelligent, quick, easy and ultimately cost-effective. A lot of criteria for network equipment testing but interestingly all things mentioned in the video from last Friday.
Tags: