Brandon Perry brandonprry

During a recent pentest, we came across the Apache Jetspeed 2 HTTP server. After a few hours of testing, I realised that the web application was vulnerable to an unauthenticated reflected XSS attack. However, I was limited, as I could not use < or > in the URL, as Jetspeed would return a 400 Bad Request HTTP response.

I could break out of an attribute that was storing the URL with a double-quote ("), though, so I could control the attributes on a random element. A specially crafted URL could define a style attribute making the arbitrary HTML element take up the entire page, then an onmouseover attribute could execute random javascript. I ended up with a generic URL that looked like this (URL encoded):

http://192.168.0.7:8080/jetspeed/portal/fdsa%22%20%73%74%79%6c%65%3d%22%70%61%64%64%69%6e%67%2d%74%6f%70%3a%35%30%30%30%70%78%3b%64%69%73%70%6c%61%79%3a%62%6c%6f%63%6b%3b%70%6f%73%69%74%69%6f%6e%3a%66%69%78%65%64%3b%74%6f%70%3a%30%3b%6c%65%66%74%3a%30%3b%22%20%6f%6e%6d%6f%75%73%65%6f%76%65%72%3d%22%6a%61

Comment regarding Class-25: Software – security research

Brandon Perry, VolatileMinds

Legislation concerning lawful security research requires consideration not only into the current state of software security, but also the future of how we as Americans will consume and create software. Increasingly, software drives basic functions within each and every American’s daily life. Legislators and members of the security community have an excellent opportunity to create a framework that allows research by those with the capabilities and know-how to bolster the security of our homes, our businesses, and our infrastructure.

We live in a digital world now. 30 years ago, when computer software was only beginning to be accepted into the mainstream public, legislators passed the Computer Fraud and Abuse Act. This was before the Internet of Everything was a gleam in anyone’s eye, and the notion of us running out of IP addresses was laughable. Now, we have critical infrastructure, smart home appliances, and even vehicle

	#!/bin/bash

	cores=$1
	inputdir=$2
	outputdir=$3
	pids=""
	total=`ls $inputdir \| wc -l`

	for k in `seq 1 $cores $total`
	do

	Desired=Unknown/Install/Remove/Purge/Hold
	\| Status=Not/Inst/Conf-files/Unpacked/halF-conf/Half-inst/trig-aWait/Trig-pend
	\|/ Err?=(none)/Reinst-required (Status,Err: uppercase=bad)
	\|\|/ Name Version Architecture Description
	+++-==============================-===========================-============-===============================================================================
	ii acl 2.2.52-2 amd64 Access control list utilities
	ii acpi 1.7-1 amd64 displays information on ACPI devices
	ii acpi-support-base 0.142-6 all scripts for handling base ACPI events such as the power button
	ii acpid 1:2.0.23-2 amd64 Advanced Configuration and Power Interface event daemon
	ii adduser 3.113+nmu3 all add and remove users and groups

	# LD_PRELOAD=preeny/x86_64-linux-gnu/desock.so strace ./main < get
	execve("./main", ["./main"], [/* 23 vars */]) = 0
	brk(0) = 0x801000
	access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
	mmap(NULL, 8192, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x7fd14ca18000
	open("preeny/x86_64-linux-gnu/desock.so", O_RDONLY\|O_CLOEXEC) = 3
	read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
	fstat(3, {st_mode=S_IFREG\|0755, st_size=18659, ...}) = 0
	getcwd("/root", 128) = 6
	mmap(NULL, 2240912, PROT_READ\|PROT_EXEC, MAP_PRIVATE\|MAP_DENYWRITE, 3, 0) = 0x7fd14c5d0000

	# LD_PRELOAD=preeny/x86_64-linux-gnu/desock.so strace ./main < get
	execve("./main", ["./main"], [/* 23 vars */]) = 0
	brk(0) = 0x1ce9000
	access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
	mmap(NULL, 8192, PROT_READ\|PROT_WRITE, MAP_PRIVATE\|MAP_ANONYMOUS, -1, 0) = 0x7f75d449e000
	open("preeny/x86_64-linux-gnu/desock.so", O_RDONLY\|O_CLOEXEC) = 3
	read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\24\0\0\0\0\0\0"..., 832) = 832
	fstat(3, {st_mode=S_IFREG\|0755, st_size=18659, ...}) = 0
	getcwd("/root", 128) = 6
	mmap(NULL, 2240912, PROT_READ\|PROT_EXEC, MAP_PRIVATE\|MAP_DENYWRITE, 3, 0) = 0x7f75d4050000

	#include <string.h>
	#include <stdio.h>
	#include <sys/types.h>
	#include <sys/select.h>
	#include <sys/socket.h>
	#include <microhttpd.h>
	#define PORT 8081


	int done = 0;

	public static void Main (string[] args)
	{
	using (ArachniSession session = new ArachniSession ("192.168.2.207", 4567, true)) {
	using (ArachniManager manager = new ArachniManager (session)) {
	var resp = manager.StartScan ("http://192.168.2.87/?searchquery=fdsa&action=search&x=11&y=15");

	while (manager.IsBusy ()) {
	Thread.Sleep (10000);
	Console.Write (".");
	}

	mysql> select 1 from users where 'fdsa' rlike (select (case when (19>20) then 'a' else '\|' end));
	ERROR 1139 (42000): Got error 'empty (sub)expression' from regexp
	mysql> select length((select name from users limit 0,1));
	+--------------------------------------------+
	\| length((select name from users limit 0,1)) \|
	+--------------------------------------------+
	\| 5 \|
	+--------------------------------------------+
	1 row in set (0.00 sec)

	---e-[
	---

	---r
	---e-[
	---
	---!f
	---!f--e-[
	---