Thursday, May 28, 2009

Web Application Security Trends Q3-Q4 2008

The "Web Application Security Trends Q3- Q4 2008" is published, I guess there are a lot of interesting findings in this report, I'm sharing here with you what I see the most important stuff

1- SQL injection got its first position back over XSS














2- as expected more and more hackers are joining the club












3- IE and FF are gaining almost the same attention












4- CSRF is gaining more attention everyday















5- more important, CSRF was usually exploited by whitehats for demonstrations, Q3-Q4 2008 is the first time for blackhats to use it. So I guess more attention should be paid now for it.















if you have any comments about this report please share it with me in the comments area.

Tuesday, May 19, 2009

Yahoo Groups Voting Vulnerability

I found a very interesting security bug at Yahoo Groups Voting System, exploiting this bug leads to complete control of the voting result. 

You can watch the video to see how I made 4 polls -they could be more- using a single account


<br/><a href="http://video.msn.com/video.aspx?vid=cf581209-ad25-4920-821f-0a11bf849cf4" target="_new" title="Yahoo Groups Voting Bug">Video: Yahoo Groups Voting Bug</a>

Bug Demonstration
It's clear that the voting system is differentiating between different users by examining the email address that is associated with the group, and since you can add unlimited number of emails associated with single Yahoo ID and the group settings allow you to change between these emails. you can simply add your vote then change the associated email then vote again as a new voter, you can keep repeating this until you fully manipulate the voting results to the one of your choice.

Simple steps to reproduce this security bug
1- go to the poll of your choice
2- select your candidate of the choices
3- click "Edit Membership"
4- under "Email Address" click "Add new email address" and verify it
5- keep repeating step 4 until you add sufficient number of email addresses
6- now choose any of them as your default associated email
7- go to the poll again and congratulations you can add your vote as it's your first time to add it
8- keep changing the associated email address until your candidate of the vote options win :)

Conclusion
It's very clear that this bug is a security logic vulnerability and hince no static code analysis tool is able to find it (never depend on static code analysis tools only).
Although it's very easy to exploit this vulnerability (I didn't write scripts, didn't run automated scans or use any complex method to exploit this vulnerability) the imact of the vulnerability is very high (maybe all the votes that were created before were manipulated).
There could be more vulnerabilities in Yahoo Groups that I didn't investigate if they have more stuff depending on the associated email 

Keep checking this blog as I decided to publish more and more security vulnerabilities at major websites, since they never fix their issues unless you fully disclose their bugs :)