Archive for the ‘Security’ Category

CSF bugs and updates

Saturday, June 25th, 2016

ConfigServer Security and Firewall (CSF) is a great program for managing iptables/netfilter firewall rules on Linux servers and performing automated blocks based on various things such as brute force login attempts (check it out at http://www.configserver.com/cp/csf.html) and I really shouldn’t complain given that it’s free, but sometimes I really do wonder if ConfigServer/Way to the Web actually do any testing at all before releasing new versions!

7 issues fixed in 6 bugfix releases (9.01 to 9.06) in 2 days! It’s a good job that the automatic update feature works properly…

eBay and PayPal DNS hijacked by Syrian Electronic Army

Saturday, February 1st, 2014

Earlier today, the nameservers on the ebay.co.uk and paypal.co.uk domain were changed to ns1.dnforu.com and ns2.dnforu.com in an apparent hijack.

It seems that the Syrian Electronic Army are now claiming responsibility for this on Twitter. They have posted screenshots of the eBay/PayPal MarkMonitor account where they were able to manage the domains in question as well as seemingly had access to the email account of Paul Whitted, Senior Manager at eBay’s Site Engineering Centre judging by another screenshot.

Several hours before this broke in the news, I tried to get in touch with PayPal UK’s security team to report this to them, however after being passed between several people I was eventually told that the problems I was experiencing were because “PayPal doesn’t support Apple devices as they are less secure”. Thanks guys, really helpful, top notch work there!

I also emailed the eBay network team and their domain registrar, MarkMonitor, neither of whom bothered to get back to me.

For posterity, I’ve attached screenshots of the ebay.co.uk and paypal.co.uk listings in Nominet’s whois records at the time of the attack.

paypal.co.uk nameserver hijcakebay.co.uk nameserver hijack

Tags used by OWASP CRS ModSecurity rules

Saturday, January 18th, 2014

I couldn’t find a definitive list of the tags used by the OWASP CRS ModSecurity rules, so after a bit of faffing around, here’s what I’ve come up with for the “base” rules in OWASP CRS version 2.2.9 (current at the time of writing).

I’ve tried to group them together as best I can:

Web Attack:

OWASP_CRS/WEB_ATTACK/XSS
OWASP_CRS/WEB_ATTACK/DIR_TRAVERSAL
OWASP_CRS/WEB_ATTACK/RFI
OWASP_CRS/WEB_ATTACK/COMMAND_INJECTION
OWASP_CRS/WEB_ATTACK/CF_INJECTION
OWASP_CRS/WEB_ATTACK/SQL_INJECTION
OWASP_CRS/WEB_ATTACK/FILE_INJECTION
OWASP_CRS/WEB_ATTACK/PHP_INJECTION
OWASP_CRS/WEB_ATTACK/LDAP_INJECTION
OWASP_CRS/WEB_ATTACK/SSI_INJECTION
OWASP_CRS/WEB_ATTACK/REQUEST_SMUGGLING
OWASP_CRS/WEB_ATTACK/SESSION_FIXATION

Protocol Violation:

OWASP_CRS/PROTOCOL_VIOLATION/IP_HOST
OWASP_CRS/PROTOCOL_VIOLATION/INVALID_HREQ
OWASP_CRS/PROTOCOL_VIOLATION/INVALID_REQ
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_HOST
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_ACCEPT
OWASP_CRS/PROTOCOL_VIOLATION/MISSING_HEADER_UA
OWASP_CRS/PROTOCOL_VIOLATION/EVASION
OWASP_CRS/PROTOCOL_VIOLATION/PROXY_ACCESS

Policy:

OWASP_CRS/POLICY/SIZE_LIMIT
OWASP_CRS/POLICY/EXT_RESTRICTED
OWASP_CRS/POLICY/FILES_NOT_ALLOWED
OWASP_CRS/POLICY/PROTOCOL_NOT_ALLOWED
OWASP_CRS/POLICY/ENCODING_NOT_ALLOWED
OWASP_CRS/POLICY/METHOD_NOT_ALLOWED

Leekage:

OWASP_CRS/LEAKAGE/INFO_STATISTICS
OWASP_CRS/LEAKAGE/INFO_DIRECTORY_LISTING
OWASP_CRS/LEAKAGE/INFO_FILE
OWASP_CRS/LEAKAGE/SOURCE_CODE_ASP_JSP
OWASP_CRS/LEAKAGE/SOURCE_CODE_CF
OWASP_CRS/LEAKAGE/SOURCE_CODE_PHP
OWASP_CRS/LEAKAGE/ERRORS_IIS
OWASP_CRS/LEAKAGE/ERRORS_CF
OWASP_CRS/LEAKAGE/ERRORS_PHP
OWASP_CRS/LEAKAGE/ERRORS_ZOPE
OWASP_CRS/LEAKAGE/ERRORS_SQL

Malicious:

OWASP_CRS/MALICIOUS_CODE
OWASP_CRS/MALICIOUS_SOFTWARE/TROJAN
OWASP_CRS/OWASP_CRS/MALICIOUS_IFRAME (not sure why this one has “OWASP_CRS” in it twice)

Automation:

OWASP_CRS/AUTOMATION/MALICIOUS
OWASP_CRS/AUTOMATION/SECURITY_SCANNER

Miscellaneous:

OWASP_TOP_10/A6
PCI/6.5.6
WASCTC/WASC-13
CAPEC-272