You Can’t Log Out of Pinterest or Instagram – Django Web Framework Security Weakness

The Django Web application framework made to help you build websites fast offers a session storage mechanism that does not allow a visitor to fully terminate their session when they log out. Though not the default storage mechanism — as is the case with Ruby on Rails — it is an option. I found that at least Pinterest and Instagram use this vulnerable option to handle sessions on their websites and I demonstrate what the issue looks like to a normal Web user in my video:

Pinterest.com and Instagram.com both suffer from WASC-47, OWASP Top Ten A2, and CWE-613. The situation is especially bad given the lack of SSL protecting the transport of the permanent session cookie/token between their servers and your browser.

To identify additional high-profile Django-based websites that might use the vulnerable cookie-based session storage mechanism, here is a starting point: http://stackoverflow.com/questions/1906795/what-are-some-famous-websites-built-in-django

 Happy hacking! Contact me with questions.

Share

How to Verify the Rails CookieStore Session Termination Weakness

I want to try it out myself you say.

Here is a video explanation using Kickstarter.com as an example:

 

And here are the steps you take to verify the weakness yourself–using Kickstarter.com, as well as on other websites you suspect are using Rails’ CookieStore (such as those on this list):

  1. Install a Chrome plugin such as Edit This Cookie to make viewing and editing cookies easier.
  2. Go to a site such as Kickstarter.com (no SSL!) or one you suspect is using Rails’ CookieStore.
  3. Find a cookie whose value starts with “BAh7″. That’s a good indicator of Ruby on Rails CookieStore-based websites before version 4.0 of Rails, or those that don’t encrypt their CookieStore values. The session cookie will have a value starting with “BAh7″ then a separator of “–” then a hash digest.
  4. Open Edit This Cookie using the little icon in the top right of your browser. Find the cookie whose value starts with “BAh7″ and take note of the cookie’s name. In the case of Kickstarter.com it’s “_ksr_session”. Copy the entire cookie data (“BAh7…”).
  5. Screen Shot 2013-11-24 at 12.01.20 PM

  6. Log out of the website.
  7. Open Edit This Cookie and overwrite the session cookie’s current value (“_ksr_session” in this case) with the data you copied previously.
  8. Go to the website. You should be in again!
Share

List of websites using Ruby on Rails’ CookieStore for session management

When bringing attention to the session termination security issue present with Ruby on Rails’ CookieStore and Django’s cookie-based session storage mechanism, one of the common questions I get is “Who is using it?”

Well, I did some digging and have the following list of 1,897 websites for your review. These are Rails sites only (before version 4.0, and not including Rails sites that encrypt their cookie values). This is not an exhaustive list, and there is future work to be done in detecting remotely the use of Rails’ CookieStore with encrypted values as well as the presence of Django’s cookie-based storage mechanism.

This Insufficient Session Expiration weakness (WASC-47) is pretty common I found, and it is especially bad when the site does not use SSL. Many of the websites and tools we use store the session hash on the client side, including the applications Redmine, Zendesk, and Spiceworks.

If you don’t have access to the app’s source code, you may be able to figure out if the site you are visiting is using Rails’ CookieStore (before version 4.0 due to its encrypted cookie values) by checking for the string “BAh7″ at the beginning of the value of any of the cookies. A SHODAN search will reveal tens of thousands of these apps: www.shodanhq.com/search?q=BAh7*

Contact me if you are on the development team of any of the following websites and need help switching.

Continue reading

Share

Injecting yourself into email threads without an invitation #partycrashing

You probably trust that emails within a thread belong together, right?

Injecting yourself into Gmail threads is like rudely butting into a conversation at a cocktail party. Here we’ll go over how, with two pieces of data, you can inject yourself into the existing email thread of a target person. While not earth-shattering information, this technique can perhaps be leveraged for social engineering, during a penetration test, or while on a phishing expedition.

You need to know the subject line and Message-ID of an email in the thread that you want to inject yourself into. Armed with these two, you can join in the threaded conversation from the outside, and a rushed or unobservant office worker may not notice that you do not belong in that conversation. The subject line is what you’re accustomed to setting when you write in a subject for an email. As it turns out, you are even able to get away with similar subject lines in Gmail: “test” and “Re: test” will both work in this case. Apparently there is some leeway here and other variants work as well. The Message-ID is a globally unique identifier of the digital message, is part of the email header, is typically not viewable to the user, and is automatically generated for the domain where the email was generated. For Gmail, that would be within the “mail.gmail.com” domain.

Obtain (by whatever your means) the Message-ID of an existing message in the target thread, and place it into both the “In-Reply-To” and “References” fields of the email header of an email that you will craft specially. For more information about the purpose of these two fields, read the full RFC here: http://tools.ietf.org/html/rfc2822.

Now, I do not believe that you can edit email headers through Gmail’s Web interface or through a client such as Thunderbird, but here is a Python script that you can use to send email through a Gmail account you control to your target. This script has been configured for Gmail but can be modified to use other SMTP servers if you wish.

import os
import smtplib
import mimetypes
from email.MIMEMultipart import MIMEMultipart
from email.MIMEBase import MIMEBase
from email.MIMEText import MIMEText
from email.MIMEAudio import MIMEAudio
from email.MIMEImage import MIMEImage
from email.Encoders import encode_base64

def sendMail(yourEmail, yourPassword, subjectLine, bodyText,
  targetEmail, messageID, *attachmentFilePaths):
  gmailUser = yourEmail
  gmailPassword = yourPassword
  recipient = targetEmail
  msg = MIMEMultipart()
  msg['From'] = gmailUser
  msg['To'] = recipient
  msg['Subject'] = subjectLine
  msg['In-Reply-To'] = messageID
  msg['References'] = messageID
  msg.attach(MIMEText(bodyText))
  for attachmentFilePath in attachmentFilePaths:
    msg.attach(getAttachment(attachmentFilePath))
  mailServer = smtplib.SMTP('smtp.gmail.com', 587)
  mailServer.ehlo()
  mailServer.starttls()
  mailServer.ehlo()
  mailServer.login(gmailUser, gmailPassword)
  mailServer.sendmail(gmailUser, recipient, msg.as_string())
  mailServer.close()
  print('Sent email to %s' % recipient)

def getAttachment(attachmentFilePath):
  contentType, encoding = mimetypes.guess_type(attachmentFilePath)
  if contentType is None or encoding is not None:
    contentType = 'application/octet-stream'
  mainType, subType = contentType.split('/', 1)
  file = open(attachmentFilePath, 'rb')
  if mainType == 'text':
    attachment = MIMEText(file.read())
  elif mainType == 'message':
    attachment = email.message_from_file(file)
  elif mainType == 'image':
    attachment = MIMEImage(file.read(),_subType=subType)
  elif mainType == 'audio':
    attachment = MIMEAudio(file.read(),_subType=subType)
  else:
    attachment = MIMEBase(mainType, subType)
  attachment.set_payload(file.read())
  encode_base64(attachment)
  file.close()
  attachment.add_header('Content-Disposition', 'attachment',
    filename=os.path.basename(attachmentFilePath))
  return attachment

if __name__ == "__main__":
#Edit the following arguments with your values
  sendMail("yourEmail", "yourPassword", "test",
    "Hello, thread.", "targetEmail",
    "Message-ID")

The important take away from all this is that you can insert your email into a thread that you were not privy to in the first place, and you do not even have to send your message from an email address within the same domain as the recipient(s). Shout out to @baffles for pointing me to the correct parts of the RFC to focus on for this and for testing this out with me.

Caveats and things to note:

  • This has only really been tested briefly with Gmail
  • You can modify this script to supply multiple values to “References” but I do not know the pros and cons of doing so
  • How Message-ID is generated will be the subject of future research
Share

Make your mornings suck less with a Pandora.com alarm clock (for Mac)

I don’t do mornings. I really don’t. I’ll stay up until them, sure, but I do not want to wake up to them.

Using OS X Mountain Lion, here we go: for the impatient, just read the bold.

Edit: I realize that bold doesn’t show up well with my current configuration. I’ll work on that.

  1. Visit Pandora.com in your default web browser, which will be the same browser that the following alarm clock script will work with, sign in to your Pandora account, and choose the radio station you want to play every AM. I play general Trip Hop, but that’s just me. Close Pandora, but DO NOT LOG OUT of your account.
  2. Fire up Automater (it’s included with the OS) and create a new Calendar Alarm.
  3. For your first Automator Workflow step, Select Actions > Utilities > Set Computer Volume.
  4. Set your Output volume where you like. I set mine as follows: Output volume: 50%; Alert volume: 0%; Input volume: 0%. I didn’t want to be jolted out of bed.
  5. For the next step in your Workflow, choose: Actions > Internet > Get Specified URLs.
  6. Change the “http://apple.com” to “http://pandora.com”
  7. For your last Workflow step, select: Actions > Internet > Display Webpages. Your Workflow should now resemble this:
  8. Screenshot of the Automator Workflow to launch Pandora.com as a morning alarm clock
  9. At this point you are done editing your Workflow. (Hooray beer!) Chose File > Save and give your Calendar Alarm a descriptive name. Once saved, the native Calendar application should fire up and you should see your Alarm in the current day. You should also see the “Automator” calendar under “On My Mac.”
  10. Specify the time that you want your Internet radio to start playing by right-clicking on the Alarm, choosing Get Info and setting the time. Also set “repeat” to “Every day” or whatever works for you. If you only work every other day, week, or month, that’s awesome.

Protip: To reduce clutter in the Calendar app you can uncheck the box next to the Automator to hide it. The Alarm should still go off as scheduled (it did during my testing). Or use Google Calendar for all your events and meetings. Also, if your default web browser (USE CHROME!) is already running when your alarm goes off–which is the case for me because I always have an obsessive amount of tabs open even though I use Pocket–this script will simply spawn a new tab. If you already have Pandora running, I have no idea what will happen. Good luck brave soul.

After looking through other Automator actions it appears that you could also do this with an iTunes playlist (and a lot of other applications), but I haven’t tried anything out other than what is above out so you will have to DIY. There was also some talk on the ‘net about using Pandora’s desktop application (via Adobe Air) for this. If you used launchd instead, awesome. Tell us about it. Post your solution in the comments.

Note that the first step you created in the Automator Workflow controls the volume of your Mac. If you are using external speakers with their own volume control (like I am) then you will need to adjust those to your liking as well.

Site update: This is the first post in the Life Automation series that I hope to continue posting to. I had an awesome boss that was the master of automation and he got me hooked on attempting to automate everything in life.

Once you’re out of bed, get some Powerthirst.

Disclaimer: Just bought a Mac so this may not be the most optimal way to go about doing this.

Share

Image Not Displayed In Internet Explorer 7 – Red X

Are you not seeing pictures in Internet Explorer, but instead getting a red X? It could be due to a number of factors, including “Show Pictures” not checked in Internet Options, or sloppy XHTML coding (make sure to close your tags). But this was not the case for me. Everything was working perfectly in Mozilla (which I use primarily), but I was just double checking in other browsers. Here is the reason:

Internet Explorer DOES NOT LIKE IMAGES IN CMYK



Interesting. I could not find that answer anywhere on the net, but decided to start back at the beginning in Adobe Photoshop CS4. Reopened the JPEG (seen below) and noticed that it was still in the CMYK color model because I was working on business card designs for commercial print.

Be sure to transform your images back into RGB if they will be viewed on the net or in IE7 (or probably any version of I.E. for that matter). This is also important if there is the possibility that your client uses Internet Explorer to preview images.


Pretty cool design I was working on last night for myself, and the cause of today’s troubles.
Click for larger view with subtle details.
G. S. McNamara Company Logo


Need a business card designed? Request An Estimate.


Catch my latest post: RSS Feed
Twitter
Forum
Email Me
Share

Color Isolation in Grayscale, Signature, and Business Card with Mirror Effect in Photoshop

Had a bit of fun in Photoshop recently. Tested out how to correctly isolate certain colors in an image and change the rest to gray scale. I was also was able to scan in my signature, clean it up, vectorize it, and make it a custom shape for use in work down the road. Finally, I delved into the mirror effect that is now pretty popular for text and images. I’ll use it on the front of my business card.

Porsche in red.
This image is also viewable on my deviantART page. I will probably upload most of my work there in the future.


I had to track down this font from GIMP 2.6 and install it for use in Photoshop. Now to find a printer for these business cards . . .

Web 2.0 Business Card



Grab a copy of Photoshop for yourself and give it a try.


Catch my latest post: RSS Feed
Twitter
Forum
Email Me
Share

BlackBerry Caller ID and Address Book Not Displayed for Incoming Calls

If your BlackBerry is only displaying the phone number of an incoming call, and not the name or label assigned to it in your address book, you need to disable content protection.

Go to: Settings -> Options -> Security Options -> General Settings -> Content Protection
Either disable Content Protection or keep Content Protection Enabled, but select “No” next to “Include Address Book:”

And now you won’t offend every single person that calls you by asking who they are.


Catch my latest post: RSS Feed
Twitter
Forum
Email Me
Share

Jabber Instant Message Server and Shut Down Your Computer With a Text Message – Hak5.org

I was just over at Hak5.org because they posted a new video.

A section of this video dealt with setting up an Openfire server for IM. Forward to about 11:10 to learn about it.


Also, shut down your computer with an SMS text. Requires Microsoft outlook or Thunderbird portable. This is a link to the thread in their forums

Share