If you have been in the security space for any stretch of time you have undoubtedly run across the Common Vulnerability Scoring System (CVSS). CVSS attempts to provide an “objective” way to calculate a measure of risk associated with a given vulnerability based on a number of criteria the security community has deemed worthwhile. While I admire the goals of such a scoring system, in practice I think it falls short, and over-complicates the issue of assigning risk to vulnerabilities. You can read my full write-up on the topic here.
Ambiguous RFC Leads to Cross Site Scripting
Over the years I have noticed that IE exhibits some strange behavior with regard to how it does or does not URL encode certain characters within a HTTP GET/POST request. Nearly every browser in existence encodes “,<, and the > characters, while IE doesn’t. This doesn’t tend to matter, expect for when it does. When a query string is used to directly create a URL one must be aware that IE does not automatically encode ”, <, and >. At first I thought this was Mircrosoft not following the RFC, but it turns out it is probably just a poorly worded RFC. You can read my full write-up on the topic here.
Keychain Dumper Updated for iOS 5
I updated Keychain Dumper to support iOS 5.
Updated iPhone Keychain Dumper
I updated Keychain Dumper to decrypt additional content within the iOS Keychain.
“Secure by Default” Doesn’t Seem to Be ColdFusion’s Motto
Adobe doesn’t have the best reputation when it comes to security (i.e. Flash). Well, that reputation seems to go beyond Flash, as I have had an occasion recently to review several ColdFusion based applications. As much as ColdFusion eases the development of web applications for developers, it is doing them a disservice when it comes to publishing a “secure by default” platform. Abstracting security details away from developers can be a great thing, but not when the abstractions themselves are insecure.
“Researchers Steal iPhone Passwords in 6 Minutes”…true…but Not the Whole Story
There was a ton of FUD being tossed around when some research from the Fraunhofer Institute was released to the press. After reading their research paper I think the press went a bit hyperbolic (big surprise). Anyway, you can check out my analysis and associated tool that replicates/validates my assumptions about Fraunhofer’s research.
How NOT to Build Your Client-server Security Architecture
It is funny how true the quote, “Those who cannot remember the past are condemned to repeat it.”, is. There was a time when many developers were developing client-server thick clients, as browsers were still nascent and/or didn’t exist. Many, though I hesitate to say most, even learned some design idioms related to securing client-server apps. We then moved on to the world of web applications, which themselves are a similar client-server architecture. But, I think enough time has passed that many that grew up in the world of web based client-server applications are bound to repeat the mistakes of old when it comes to developing thick clients. I can’t recall the last time I assessed a thick client application that didn’t suffer from some egregious design flaw that would have never been considered if it has been a web based application. Take a look at my latest blog post to for the specifics.
Even if You Don’t Invent Your Own Crypto….It’s Still Hard
I can’t seem to grow bored with anything crypto related, as it demonstrates time and time again what is so hard about security…..it is just so hard to get right. Check out my post on some crypto I came across during a recent application assessment.
ViewStateViewer: A GUI Tool for Deserializing/reserializing ViewState
I have been using Fiddler a fair amount and was annoyed there was no way to decode/encode ViewState. I wrote a Fiddler plugin that largely works though there are a few gotchas. You can read up on it here.