Generic XXE Detection

In this article I present some thoughts about generic detection of XML eXternal Entity (XXE) vulnerabilities during manual pentests supplemented with some level of automated tests. The ideas in this blog post (derived from experiences of several typical and untypical XXE detections during blackbox pentests) can easily be transformed into a generic approach to fit into web vulnerability scanners and their extensions.

This is done by demonstrating an example of where service endpoints that are used in a non-XML fashion can eventually be accessed with XML as input format too, opening the attack surface for XXE attacks.

Unauthenticated Session Fixation Attacks

Since modern authentication frameworks (like JAAS in combination with current JavaEE application servers) try to mitigate the Session Fixation attack scenario out-of-the-box, one might assume that this attack vector is mostly relevant for custom developed login schemes. Unfortunately during my pentests of applications, which properly change the session identifier upon login, I still find Session Fixation attack scenarios. These often arise from the misconception that the login process is the only workflow of an application that adds (from an attacker's point of view) significant value to a shared anonymous session.

In this article I showcase typical scenarios regularly found during pentests where unauthenticated Session Fixation attacks occur and how they can be exploited by targeting application workflows aside from the login process.

Cross-Site WebSocket Hijacking (CSWSH)

The relatively new HTML5 WebSocket technique to enable full-duplex communication channels between browsers and servers is retrieving more and more attention from developers as well as security analysts. Using WebSockets developers can exchange text and binary messages pushed from the server to the browser as well as vice versa.

During some experiments and pentests with WebSocket backed applications in the last few months I came across a scenario where developers might use WebSockets in a way to open up their applications to a vulnerability I call Cross-Site WebSocket Hijacking (CSWSH), which I will present in this short blog post.

CSRF and Same-Origin XSS

During penetration tests CSRF (Cross-Site Request Forgery) vulnerabilities are typical findings, although proper protection concepts with tokens are well known. But even when protected with tokens these concepts often fail as soon as XSS (Cross-Site Scripting) vulnerabilities exist in the same domain/port combination, since the script executing via XSS in the victim's browser is capable of reading the CSRF protection token and thus can execute CSRF attacks.

In this short blog post I will present some tips on protecting against CSRF attacks even when XSS vulnerabilities exist in other applications running same-origin with the targeted application.

Tracking performed by Social Networks

In this blog post I analyze methods of user tracking which are performed by popular social network websites such as Facebook, Twitter, Xing, and recently Google+.

Each of these social networks have buttons (called Like, Tweet, Visitors, and +1 buttons) which are installed on numerous websites. I try to put some light on the actions performed by those buttons and how they track users around the web, even when they don't click those buttons.