Pages

Labels

fery andarana. Diberdayakan oleh Blogger.

Kamis, 24 November 2011

Preventing JavaScript Injection Attacks "Mencegah Serangan Injeksi JavaScript" 2011 post me

Preventing JavaScript Injection Attacks "Mencegah Serangan Injeksi JavaScript"



The goal of this tutorial is to explain how you can prevent JavaScript injection attacks in your ASP.NET MVC applications. This tutorial discusses two approaches to defending your website against a JavaScript injection attack. You learn how to prevent JavaScript injection attacks by encoding the data that you display. You also learn how to prevent JavaScript injection attacks by encoding the data that you accept.

What is a JavaScript Injection Attack?

Whenever you accept user input and redisplay the user input, you open your website to JavaScript injection attacks. Let�s examine a concrete application that is open to JavaScript injection attacks.
Imagine that you have created a customer feedback website (see Figure 1). Customers can visit the website and enter feedback on their experience using your products. When a customer submits their feedback, the feedback is redisplayed on the feedback page.
Figure 01: Customer Feedback Website (Click to view full-size image)
The customer feedback website uses the controller in Listing 1. This controllercontains two actions named Index() and Create().
Listing 1 � HomeController.vb
Public Class HomeController
Inherits System.Web.Mvc.Controller

Private db As New FeedbackDataContext()

Function Index()
Return View(db.Feedbacks)
End Function

Function Create(ByVal message As String)
' Add feedback
Dim newFeedback As New Feedback()
newFeedback.Message = Server.HtmlEncode(message)

newFeedback.EntryDate = DateTime.Now
db.Feedbacks.InsertOnSubmit(newFeedback)
db.SubmitChanges()

' Redirect
Return RedirectToAction("Index")
End Function

End Class
The Index() method displays the Index view. This method passes all of the previous customer feedback to the Index view by retrieving the feedback from the database (using a LINQ to SQL query).
The Create() method creates a new Feedback item and adds it to the database. The message that the customer enters in the form is passed to the Create() method in the message parameter. A Feedback item is created and the message is assigned to the Feedback item�s Message property. The Feedback item is submitted to the database with the DataContext.SubmitChanges() method call. Finally, the visitor is redirected back to the Index view where all of the feedback is displayed.
The Index view is contained in Listing 2.
Listing 2 � Index.aspx
<%@ Page Language="VB" MasterPageFile=
"/Views/Shared/Site.Master" AutoEventWireup="false" CodeBehind="Index.aspx.vb"
Inherits="CustomerFeedback.Index"%>

<asp:Content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server">
<h1>Customer Feedback</h1>

<p>
Please use the following form to enter feedback about our product.
</p>
<form method="post" action="/Home/Create">
<label for="message">Message:</label>

<br />

<textarea name="message" cols="50" rows="2"></textarea>
<br /><br />
<input type="submit" value="Submit Feedback" />
</form>

<% For Each feedback As CustomerFeedback.Feedback In ViewData.Model%>

<p>

<%=feedback.EntryDate.ToShortTimeString()%>
--
<%=feedback.Message%>
</p>
<% Next %>

</asp:Content>
The Index view has two sections. The top section contains the actual customer feedback form. The bottom section contains a For..Each loop that loops through all of the previous customer feedback items and displays the EntryDate and Message properties for each feedback item.
The customer feedback website is a simple website. Unfortunately, the website is open to JavaScript injection attacks.
Imagine that you enter the following text into the customer feedback form:
<script>alert(�Boo!�)</script>
This text represents a JavaScript script that displays an alert message box. After someone submits this script into the feedback form, the message Boo! will appear whenever anyone visits the customer feedback website in the future (see Figure 2).
Figure 02: JavaScript Injection (Click to view full-size image)
Now, your initial response to JavaScript injection attacks might be apathy. You might think that JavaScript injection attacks are simply a type of defacement attack. You might believe that no one can do anything truly evil by committing a JavaScript injection attack.
Unfortunately, a hacker can do some really, really evil things by injecting JavaScript into a website. You can use a JavaScript injection attack to perform a Cross-Site Scripting (XSS) attack. In a Cross-Site Scripting attack, you steal confidential user information and send the information to another website.
For example, a hacker can use a JavaScript injection attack to steal the values of browser cookies from other users. If sensitive information � such as passwords, credit card numbers, or social security numbers � is stored in the browser cookies, then a hacker can use a JavaScript injection attack to steal this information. Or, if a user enters sensitive information in a form field contained in a page that has been compromised with a JavaScript attack, then the hacker can use the injected JavaScript to grab the form data and send it to another website.
Please be scared. Take JavaScript injection attacks seriously and protect your user�s confidential information. In the next two sections, we discuss two techniques that you can use to defend your ASP.NET MVC applications from JavaScript injection attacks.

Approach #1: HTML Encode in the View

One easy method of preventing JavaScript injection attacks is to HTML encode any data entered by website users when you redisplay the data in a view. The updatedIndex view in Listing 3 follows this approach.
Listing 3 � Index.aspx (HTML Encoded)
<%@ Page Language="VB" MasterPageFile="/Views/Shared/Site.Master"
AutoEventWireup="false" CodeBehind="Index.aspx.vb" Inherits="CustomerFeedback.Index"%>

<asp:Content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server">
<h1>Customer Feedback</h1>

<p>

Please use the following form to enter feedback about our product.
</p>

<form method="post" action="/Home/Create">
<label for="message">Message:</label>
<br />
<textarea name="message" cols="50" rows="2"></textarea>

<br /><br />
<input type="submit" value="Submit Feedback" />
</form>

<% For Each feedback As CustomerFeedback.Feedback In ViewData.Model%>
<p>

<%=feedback.EntryDate.ToShortTimeString()%>
--
<%=Html.Encode(feedback.Message)%>

</p>
<% Next %>

</asp:Content>
Notice that the value of feedback.Message is HTML encoded before the value is displayed with the following code:
<%=Html.Encode(feedback.Message)%>
What does it mean to HTML encode a string? When you HTML encode a string, dangerous characters such as < and > are replaced by HTML entity references such as &lt; and &gt;. So when the string <script>alert("Boo!")</script> is HTML encoded, it gets converted to&lt;script&gt;alert(&quot;Boo!&quot;)&lt;/script&gt;. The encoded string no longer executes as a JavaScript script when interpreted by a browser. Instead, you get the harmless page in Figure 3.
Figure 03: Defeated JavaScript Attack (Click to view full-size image)
Notice that in the Index view in Listing 3 only the value of feedback.Message is encoded. The value of feedback.EntryDate is not encoded. You only need to encode data entered by a user. Because the value of EntryDate was generated in the controller, you don�t need to HTML encode this value.

Approach #2: HTML Encode in the Controller

Instead of HTML encoding data when you display the data in a view, you can HTML encode the data just before you submit the data to the database. This second approach is taken in the case of the controller in Listing 4.
Listing 4 � HomeController.cs (HTML Encoded)
Public Class HomeController
Inherits System.Web.Mvc.Controller

Private db As New FeedbackDataContext()

Function Index()
Return View(db.Feedbacks)
End Function

Function Create(ByVal message As String)
' Add feedback
Dim newFeedback As New Feedback()
newFeedback.Message = Server.HtmlEncode(message)
newFeedback.EntryDate = DateTime.Now
db.Feedbacks.InsertOnSubmit(newFeedback)
db.SubmitChanges()

' Redirect
Return RedirectToAction("Index")
End Function

End Class
Notice that the value of Message is HTML encoded before the value is submitted to the database within the Create() action. When the Message is redisplayed in the view, the Message is HTML encoded and any JavaScript injected in the Message is not executed.
Typically, you should favor the first approach discussed in this tutorial over this second approach. The problem with this second approach is that you end up with HTML encoded data in your database. In other words, your database data is dirtied with funny looking characters.
Why is this bad? If you ever need to display the database data in something other than a web page, then you will have problems. For example, you can no longer easily display the data in a Windows Forms application.

by Rafi Aldiansyah Asikin
Jika ingin mengcopy artikel ini sertakan alamat blog ini
Terima Kasih

Rabu, 23 November 2011

Bug perangkat lunak Microsoft terkait dengan virus "Duqu" .,, Bug perangkat lunak Microsoft terkait dengan virus "Duqu"


Bug perangkat lunak Microsoft terkait dengan virus "Duqu" .,, Bug perangkat lunak Microsoft terkait dengan virus "Duqu"





Microsoft Corp mengatakan hacker mengeksploitasi bug yang sebelumnya tidak dikenaldalam sistem operasi Windows untuk menginfeksi komputer dengan virus Duqu, yangbeberapa ahli keamanan mengatakan bisa menjadi ancaman cyber besar berikutnya.



"Kami sedang bekerja keras untuk mengatasi masalah ini dan akan merilis updatekeamanan untuk pelanggan," kata Microsoft pada Selasa dalam sebuah pernyataansingkat.


Berita Duqu muncul pada bulan Oktober ketika keamanan Symantec Corp pembuat perangkat lunak mengatakan telah menemukan sebuah virus komputer misterius yang berisi kode yang mirip dengan Stuxnet, sebuah software berbahaya diyakini telahmendatangkan malapetaka pada program nuklir Iran.


Pemerintah dan swasta peneliti di seluruh dunia berlomba untuk membuka rahasia Duqu,dengan analisis awal menunjukkan bahwa itu dikembangkan oleh hacker canggih untukmembantu meletakkan dasar untuk serangan pada infrastruktur penting sepertipembangkit listrik, kilang minyak dan pipa.


Rincian tentang bagaimana Duqu naik ke mesin yang terinfeksi muncul untuk pertama kalinya pada Selasa, karena Microsoft diungkapkan link ke infeksi.


Secara terpisah, peneliti Symantec mengatakan mereka percaya hacker mengirim virus ke korban yang ditargetkan melalui email dengan dokumen Word Microsoft tercemarterpasang.


Jika penerima membuka dokumen Word dan terinfeksi PC, penyerang bisa mengambil alih kendali mesin dan mencapai ke dalam jaringan organisasi untuk menyebarkan dirinya sendiri dan berburu untuk data, Symantec peneliti Kevin Haley kepada Reuters.


Dia mengatakan beberapa kode sumber yang digunakan dalam Duqu juga digunakan dalam Stuxnet, senjata cyber yang diyakini telah melumpuhkan sentrifugal bahwa Irandigunakan untuk memperkaya uranium.


Itu menunjukkan bahwa para penyerang balik Stuxnet baik memberi kode bahwa untukpara pengembang Duqu, memungkinkan untuk dicuri, atau orang yang sama yang membangun Duqu, kata Haley.


"Kami percaya itu adalah yang terakhir," katanya.


Posting by Rafi Aldiansyah Asikin
JIka ingin mngecopy artikel ini sertakan alamat blog ini

Terima Kasih

Kamis, 17 November 2011

Department of Defence, NASA, Pentagon and NSA have been hacked by hacker named Sl1nk


Department of Defence, NASA, Pentagon and NSA have been hacked by hacker named Sl1nk



The United States of America, Department of Defence (DoD).
Department of the Navy, the PentagonNASA and the National Security Agency(NSA)



All these security agencies are thought to have the best ever security put into place against hacker attacks...yet one claims to have hacked into them !!!


Hacker Pseudoname: Sl1nk
Organisation: Unknown
Reputation: Unknown

This guys claims to have done some quite interesting and unbelievable things..things that would mean that the security holes in these above mentioned agencies are countless..
Is that because they wanted to adopt cloud computing, we'll see that later.

Maybe what this hacker 'sl1nk' is claiming to have done is completely false..but the information he provided seems so precise that it becomes difficult to ignore them. There is a set of documents he presented as proof and which are available to view at the end of this post. For now take a look at the tricks he says he managed to pull:
  1. SSH access to a Network of 140 machine's layer 1 to 3 in the Pentagon
  2. Access to APACS (automated personell air clearance system) 
  3. Thousand's of documents ranging from seizure of a vehicle up to private encryption key request forms.
  4. Database of all usernames/passwords of Webmail of Nasa.
  5. Access to ASSIST (Database for Military Specifications and Military Standards)
  6. Data Transformation Corporation's FAA Sponsored DUAT Service
  7. Access to Government Gateway at http://www.gateway.gov.uk/
  8. Access to applicationmanager.gov
  9. Login access to HM Revenue & Customs (HMRC)
  10. Login to Central Data Exchange | US EPA
As you can see, he (sl1nk) claims to have SSH access to many boxes, a list is given below :-

Pentagon, Nasa, Navy, NSAArea 54Department of the Navy, Space and Naval Warfare System Command
64.224.0.11207.60.16.0 - 207.60.16.255205.0.0.0 - 205.117.255.0 
IP=64.224.0.5





64.70.0.2,





64.70.1.15





64.70.2.53





64.70.2.95





131.182.3.72





153.31.1.195





64.70.2.16





128.149.2.1





64.224.0.9 and lots more







 He also presented some account credentials that suppozedly THN Team verified and documents originating from the Department of Defence (DoD).

https://assist.daps.dla.mil/ 
User: COM502571
Pass: C*************g@@
--------------------------------------------
http://www.duat.com 
system access code: 0016***9
password: F*****1
--------------------------------------------
http://www.gateway.gov.uk/ 
Agent Name: Corie Lee
User ID: 1152****652
Pass: **************
--------------------------------------------
https://online.hmrc.gov.uk/account 
Your User ID is: 437067167597
Password: cl**********3d
--------------------------------------------
https://applicationmanager.gov/
User: administratorbackup
Pass: fu********l@
--------------------------------------------
https://cdxnode64.epa.gov 
User: JCrimson
Pass: M*********0n
--------------------------------------------
https://pecos.cms.hhs.gov/pecos/login.do 
User: Adminbackup
Pass: g*********7
 














Nice proofs and for sure would make people believe that these agencies have security flaws..but to what extent is it true ?

Was it because they moved to cloud computing...but why our defense and intelligence agencies are moving so quickly to adopt cloud computing ?
The answer is cost savings and higher efficiency but the most important aspect is is grounded squarely in our DoD's need exploit information faster than its adversaries.
Cloud computing is unique in its ability to address critical defense and intelligence mission needs.  That�s why cloud computing is critical to national defense.
The main concerns surrounding Cloud Computing Security are:
Data security, privacy and integrity
Intrusion detection and prevention

Security concerns about Cloud Computing are nothing new
Security experts find flaws in cloud computing
Demonstrations of new ways to attack corporate data stored with the increasingly popular �cloud� services have added to concerns about the technology.
Security researchers at the Black Hat USA security conference in Las Vegas showed how users of Amazon�s Elastic Compute Cloud (EC2) services were tricked into using virtual machines that could have included �back doors� for snooping.