Thursday, July 28, 2011

Chrome Blocking "Insecure Scripts" from Facebook

I ran into an issue this evening while browsing on Chrome 14.0.835.2 dev-m. As I visit various pages, a new feature in Chrome (since version 12, I believe) is blocking "insecure scripts" from running. A few weeks ago, I noticed that an insecure script would be blocked every couple days or so. However, tonight I was seeing the popup on almost every site I visited. I realized that this had to do with Facebook when I visited Facebook and it looked like this.
Keep in mind that I do use Facebook's permanent HTTPS feature, which may have something to do with this. The fact that Facebook is causing issues explained why I was having issues elsewhere around the web: Facebook is embedded in some form on almost every webpage. I confirmed this by checking Chrome's developer tools to see what was being blocked on these pages.
To determine what was causing this, I decided to disable HTTPS in Facebook and see what happened. Turning off HTTPS allowed Facebook to load around the web without causing the "insecure script" warning in Chrome. 

So what was causing this? Looking into Chrome's developer tool, it appears that it is blocking a CSS page from Facebook, which explains why Facebook loads without its styles present as you can see in the image above. Also, Chrome takes issue with a number of lines of JavaScript used within the Facebook page. In total, it found 10 errors and 45 warnings on Facebook's homepage alone.

The only solution as of now is to either disable HTTPS in Facebook (it's not enabled by default, so you'll only be having these issues if you specifically turned it on) or running Chrome without blocking insecure scripts, which isn't recommended, but can be done by following the guide here: http://www.howtonew.com/insecure-script-has-been-blocked-disabling-chrome-warning

Tuesday, July 26, 2011

Authentix Vulnerabilities

While doing some work on an Authentix system, I discovered a few, very basic, JavaScript injection and cross-site scripting vulnerabilities. After finding these, I've done some research and it appears that these issues have been discovered and reported to the vender previously (in previous versions) yet they still remain in the latest version of the software. The issue is mitigated slightly by the fact that the vulnerbility occurs on an admin page, visible after login, but I wouldn't doubt that other areas of the site exhibit the same issues.

Authentix is a webpage protection tool that uses IIS and NT user names as a backend. You can read more about the product here: http://www.flicks.com/flicks/authx.htm. To me, it seems like a very antiquated tool, but apparently it is still used in production environments.

The vulnerability occurs within the remote administration webpage while editing user accounts. After logging in, browse to the delete user admin page at: https://server.site.com/scripts/aspadmin/deleteUserSelect.asp

This page allows you to enter the user name of the user you wish to delete.
When you click "delete user," the site appears to silently pass the parameter to the next page as shown here in the URL:
https://site.server.com/scripts/aspadmin/deleteUser.asp
And here on the webpage:
So this part got me thinking. After looking into the code a bit, the textbox where the name is originally entered is called "username." So suppose we pass that in via the URL rather than typing it in the box and clicking the button? Let's try it:
https://site.server.com/scripts/aspadmin/deleteUser.asp?username=johnny
Now this is why we have a problem. The webpage appears to just be displaying on the page whatever text was typed after "username=" in the URL. This is exactly how JavaScript injection and cross-site scripting start. So now let's try a new URL:

https://site.server.com/scripts/aspadmin/deleteUser.asp?username=';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>

(This code was taken from http://ha.ckers.org/xss.html which is a very nice XSS cheat-sheet).

This URL works nicely:

This works on several other pages as well, including some that are persistent. I have only tested to see whether a few other pages are vulnerable, but the entire site appears to be a bit outdated, especially from a design standpoint. I have emailed the company again (they have been contacted previously about this) and, if I receive a response, will include it here.

Monday, July 25, 2011

Quest for Random Data

While doing some database masking work, I came across the need to generate thousands of fake names, addresses, phone numbers, and additional personal information. Originally, I copied the top few thousand names from US census data and saved the results in a spreadsheet. However, I then stumbled upon a website that has been enormously helpful: http://www.fakenamegenerator.com

I thought I'd share this since finding randomly generated data in the exact format you need (with the right attributes) is often difficult.

Tuesday, July 19, 2011

Google+ Vs Facebook: Separate But Integrated Services


Since Google+ launched several weeks ago, it has been fairly universally praised, yet it has also been doubted and questioned extensively. Can Google+ compete with Facebook and its myriad of over 700 million users (and growing)? Many have wondered if Google, an algorithmic company at its core, has the talent and engineering skills to produce a product that is used in a very different way than traditional search. Although I believe that Google+ will have a slow start, I also feel that the product will ultimately become not only a viable alternative to Facebook, but a better one. There is one major advantage that Google has over Facebook: separate, yet tightly integrated services.

For years, Google has been slowly moving our lives to the cloud. Gmail, although not the top email service, is used and loved by millions of people around the globe. Next, our calendars became available online, easily synced to any computer or device. Google Docs now stores and provides access to almost any file type imaginable without ever leaving the browser. Google Pictures (Picasa), YouTube, Reader, Tasks, Maps, the list goes on. Ultimately, these are separate, yet tightly integrated services. If you need directions, you access Google Maps; events take us to Google Calendar; email to Gmail. Yet within all of these services, although they appear to be distinct and separate, there is an element of connectivity. For example, Google Calendar integrates well with Gmail: we can send and receive invites seamlessley and access our contacts. The same goes for Google Docs.

You may be wondering what this has to do with Google+ or Facebook. My point is that the average user wants separate but integrated services. They want to be able to access their email without seeing their documents; they want to plan a trip without seeing YouTube videos. This is where Facebook falls short. Even with only a few "clones" of Google products, Facebook is starting to become crowded - a fact that many users are now complaining about. Facebook Messages, Events, Groups, Video Chat, regular chat, group chat, fan pages, and many other apps and services are slowly crowding a News Feed that was once a stream of updates from friends. There's only so many features that can fit on a single page and Facebook seems to be running out of white space. Google, although it has probably ten times more services than Facebook, does not feel crowded at all. All of Google's products are separated out into distinct web applications rather than crammed onto the same page. As I mentioned: separate but integrated services.

Now let's take into account social. For Facebook, social means having a base social platform and adding services to it. For Google, social means taking a base set of services and adding social to them. This is a key difference that I believe will ultimately benefit Google. If users can access their notification bar on every Google product (something Google is beginning to do already), social is not only more easily accessible, it is practically jumping out at users. Facebook has limited reach in these terms. Yes, they can have their own notifications as text messages or emails, but you will never see Facebook notifications as you surf the web, plan events on your calendar, or type documents in the cloud. Google already has these products, now it just needs to tightly integrate social into them just like they've integrated their existing products already.

So why do I think Google+ will have a slow start? For many users, moving to a new platform is a big change. The current dilemma facing Google+ seems to be the lack of users (although they are purposefully limiting it). It's a catch-22 of "I won't join until my friends join" and vice versa. However, Google, with its multitude of products can really begin to make not joining Google+ feel like missing out. When the notification bar is always a click away, I think it will become more and more tempting for non-users to give in and sign up. Google can have retention through integration. For Facebook, retention means keeping users on Facebook.com and no where else; for Google retention is becoming synonymous with opening a web browser.

VBA Script to Lookup Values and Return Result

This is a quick VBA script that I wrote after searching for a few hours online. I am posting it in case someone in the same dilemma I was in needs the same script. Basically, the script is for looking up values in another worksheet based on a current value. In this example, I am taking a user account name from the first sheet and then  looking up the last time that he or she logged in using the second sheet (which contains thousands of entries listing all logins). I want to grab the last occurrence of the login (most recent).

To begin, I will declare the variables:


Dim userId As String
Dim found As Range
Dim theDate As String


Next, I am going to loop through all of the cells that I want. In my example, I have 1730 user names to lookup (you can see why I wrote a script). First, it assigns the user name from the first sheet to the "userId" variable. Next, it searches through the "Logins" sheet backwards by matching the user ids (since this sheet is ordered by login date and we want the most recent). If it finds a match, it stores the cell's value in the range "found." If found is empty, it writes in the original cell that the last login date was never. If found is populated (a match was found) then it assigns the date stored in the field to the variable "theDate." Finally, it writes the value of theDate into the original sheet in Cells(i,3) meaning the 3rd column of the i^th row.


For i = 1 To 1730
  userId = Cells(i, 1).Value
  Set found = Sheets("Logins").Columns(2).Cells.Find(What:=userId, After:=[B1],
  LookAt:=xlWhole, SearchOrder:=xlByRows, SearchDirection:=xlPrevious)
  If found Is Nothing Then
    Cells(i, 3).Value = "Never"
  Else
    theDate = Sheets("Logins").Cells(found.Row, 1).Value
    Cells(i, 3).Value = theDate
  End If
Next i