2009 六月 | neraliu's blog

196月/090

a vulnerability of session fixation

authentication - it is a way to identify some person identity before authorizing some actions on behalf of the user. in current web application, session identifier is one of the way to identify the authorized session of the user. however, careless handling of the session identifier in the application may lead to vulnerabilities of allowing unauthorized user to gain access of the user.

session fixation is the vulnerability allowing the unauthorized person to fixate (set) another person's session, the most typical vulnerability is to set the session id in the POST/GET action without validation in the server side, this allows the unauthorized person set another person session id through phishing activities somehow. for example, if the web application allows carrying the session id through the query string in the http without validation, the authorized person can set your session by phishing you to click on the url like http://web_application/?sid=EVIL_SESSSION_ID, if you click on the link, then you doom.

the most suitable (or moderated secure) way to do so is to set the session id in the cookie, which is supposed to be protected by the domain (ha, supposed to be). sure, the most secure way to do so is to use the SSL etc. (sure, this is the answer from biz ppl always. )

存檔在：電腦保安沒有回應

176月/090

browser secuirty – just a simple try of the document.domain

for the browser secuirty, every page has its own domain of sandbox of preventing different domain from being accessing it s DOM without permission. by default, the document.domain echos the fully qualified domain name of the page that is served, however, if you want to access the frame inside the page that is not serving on the same FQDN, it is not allowed by the browser secuirty sandbox. however, there is a need to do so, as we want to serve two pages in 2 different domain but with the same parent domain (it is noted that pages not serving with the same parent domain cannot make it from the frontend as the broswer security sandbox does not allow it), the way to make it is to set the 2 pages to their parent domain and make the cross frame scripting happen. anyway, make sure to know what are you doing before doing so, as this exposes your parent domain actually.

reference - http://blog.neraliu.com/examples/framescripting/samedomain.html
reference - http://blog.neraliu.com/examples/framescripting/diffdomain.html (subdomains)
reference - http://blog.neraliu.com/examples/framescripting/diffdomain2.html (totally different domains)

存檔在：電腦保安沒有回應

156月/090

frame killer – a technique to prevent clickjacking?

framekiller is a kind of javascript of preventing other web site in framing/iframing your own web url. bascially, this technique is very simple by running a piece of code to detect the parent URL by redirecting it to prevent being embeded in the frame when the page receiving the onload event.

however, with the new introduction of the <IFRAME secuirty="restricted"> in the internet explorer 8, the original drive of this attribute is to prevent the cross site scripting, however, this subvert the framekiller being run in the iframe with this attribute set.

reference - http://www.sectheory.com/clickjacking.htm
examples - http://blog.neraliu.com/examples/clickjacking/attack.html

存檔在：電腦保安沒有回應

106月/090

crossdomain.xml – an interesting and funny solution of flash

for all the flash developers, they should know the policy file - crossdomain.xml. this file allows the server to determine what data is going to open up to the client, but limit to the flash client only. what funny point of this design is if i am not flash client, your data is still open up in the internet without control, so.... what is the intention of this behind the scene of this policy file? simply complicated the theft of flash client, why not i proxy the data source and all dome? what a funny

存檔在：電腦保安沒有回應

46月/090

allowDomain() in flash

when you are coding the flash, you must come across the security.allowDomain(String), this is one of the important security feature in flash, however, due to the backward compatibility in flash, this function may not take effect to your client. anyway, to simplify the explanation, we stick to the flash player version 8.0 or later.

if there are 2 flash files serving in the same domain, say www.domainA.com, both flash files are capabile to access each others' variables and functions by loading each other into the memory space by loadMovie(). if they are not serving under the same domain, say one is serving from www.domainA.com, while another is serving from www.domainB.com, one has to grant the permission to another by using the security.allowDomain(String) function call. in this case, we call it as the cross domain scripting.

in addition to protect the flash, the html to swf scripting is also protected by the security.allowDomain(String).

Nevertheless, due to the backward compatiblility issue, some older flash player in the client side does not take the secuirty.allowDomain(String), for example, if the client's flash player is of version 5.0, the security.allowDomain does not take account for domain protection, as the security.allowDomain does not introduce in the version 5.0 day.

reference - http://livedocs.adobe.com/flash/8/main/00002647.html

存檔在：電腦保安沒有回應

26月/090

finding the flow of the money in the market

interesting to find that the stock market surging high after the dip in march with lot and lot people crying that the reborn of the bull market late this year. though what you heard from the people is just the speculation and you can never prove it as long as the time proves itself. anyway, what i found interesting recently is the "trends in mutual fund investing" reported by the investment company institute, the data reported the net new cash flow in different categories of mutual fund by weekly. it really worth to read it weekly to understand where is the money goes in the world. however, the bad thing is time is limited, i really wanna to compare those data with some worldwide index and see what is the relationship between them and what is the correlation between them?