AppSec Blog: Category - Spot the Vuln

AppSec Blog:

Clickjacking: Help, I Was Framed!

Security researchers discovered and disclosed the Clickjacking attack (also known as a "UI Redress Attack") back in 2008. All major browsers were affected. Flash even had an interesting vulnerability that allowed control of a user's microphone and webcam. Yet, here we are 7 years later still citing this issue on nearly every security assessment of web applications that we do. During our report delivery, development teams typically have one of the following responses: "What's Clickjacking?", "What can someone really do with this?", or "So what?".

I'd like to take a minute to explain a little bit about this exploit, give a quick example, and talk about a few ways to mitigate this issue.

The Exploit

Clickjacking involves hosting a form from the application in an iframe and tricking the user into activating the form. A common way to do this is to set the opacity of the iframe to 0 (rendering it invisible) and placing a link over a button on the


Demystifying Cross-Site Request Forgery

Continuously ranked in the OWASP Top Ten, a large majority of the development community still doesn't understand Cross-Site Request Forgery (CSRF). After years of penetration tests and code reviews, my experiences show that a high percentage of applications, especially new applications, do not have proper CSRF protections in place. This post provides a refresher on CSRF and provides a common defense for this issue.

The Exploit

CSRF occurs when an application trusts that all requests originating from the user's browser are user-directed actions. Imagine that you are logged into your bank's online portal. The application requires users to authenticate and passes a session cookie back to the browser. Subsequent requests made to the banking site must contain the session cookie, allowing the site to identify the user and perform the requested action.

What if an attacker could send a fake request using the victim's browser?

Suppose an attacker wants to


The Google Cross-Site Scripting Challenge

If you didn't know already, Google takes its application security seriously, especially when it comes to Cross-Site Scripting. They already have a Vulnerability Rewards Program and XSS Learning Documentation posted on their application security site. A few weeks ago, I saw some chatter on Twitter about a new approach for teaching folks about Cross-Site Scripting: The XSS Game! Wait a second, teach people about XSS by playing a game? It sounds like an app I would download on my tablet for my daughter to play with. Brilliant! Where do I sign up?

The Welcome screen contains some background information about XSS, Google's vulnerability rewards program, and a link that takes you into the 1st of 6 missions. The goal of each mission is to get a JavaScript alert box to popup in the embedded


LinkedIn OAuth Open Redirect Disclosure

During a recent mobile security engagement, I discovered an Insecure Redirect vulnerability in the LinkedIn OAuth 1.0 implementation that could allow an attacker to conduct phishing attacks against LinkedIn members. This vulnerability could be used to compromise LinkedIn user accounts, and gather sensitive information from those accounts (e.g. personal information and credit card numbers). The following describes this security vulnerability in detail and how I discovered it.

The Vulnerability
Section 4.7 of the OAuth 1.0 specification (RFC 5849) warns of possible phishing attacks, depending on the implementation. A vulnerable OAuth implementation could enable phishing attacks via user-agent redirection. The stated emphasis, further supported by OAuth 2.0 (RFC 6749 via "redirect_uri" parameter), is intended to raise awareness of open-redirection as a security vulnerability that should be avoided.


Spot the Vuln Boundaries - SQL Injection


Affected Software: My Calendar Wordpress Plugin

Fixed in Version: >1.7.2

Issue Type: SQL Injection

Original Code: Found Here


This week's bug was a subtle mistake in the usage of an escaping routine. It seems the developer understood the dangers of SQL injection and therefore used an escaping routine to sanitize user controlled input before using that input to build a SQL statement. Unfortunately, the developer overlooked a crucial characteristic and used the wrong escaping routine. Looking at the vulnerable line, we see the following: