三井物産セキュアディレクション セキュリティ診断なら

MBSD Security Insight

title1

セキュリティ専門家によるレポートを掲載します。



機械学習による全自動Web脆弱性スキャナの試み

著者はWebアプリケーションの脆弱性を全自動で検出する脆弱性スキャナ「SAIVS」の開発を進めており、人間のセキュリティエンジニアと同等のレベルで脆弱性診断を行うこと最終目標している。現時点のSAIVSはベータ版であるが、シンプルなWebアプリケーションにおいて、人間と同じようWebページをクローリングすることが可能である。また、Webアプリケーションの挙動を観察し、脆弱性を検出するための最適な検査値を自ら考案し、少ない手数で効率よく脆弱性を検出することが可能である。この人間ような行動を、複数の機械学習アルゴリズムを組み合わせることで実現している。本稿では、SAIVSを実現するための手法と検証実験の結果を報告する。

Click to download▶

SMTP Injection via recipient email addresses

SMTP Injection is an attack technique that injects attacker-controlled SMTP commands into the data transmitted from an application (typically a web application) to an SMTP server for spamming purposes.

Among this class of attack, techniques using manipulated content (message body or header) have been published and known in the security community. Such previous researches are well covered in WASCfs page.

Mitsui Bussan Secure Directions, Inc. (MBSD) has conducted a research on this topic and discovered a new attack technique utilizing crafted recipient email addresses. This paper first describes the attack mechanism and then explains some vulnerability examples in email libraries on Java, Ruby, PHP and other platforms. Other attack techniques and countermeasures are discussed in the following chapters.

Click to download▶


A few RPO exploitation techniques

RPO (Relative Path Overwrite) is an elaborate attack technique publicized by Gareth Heyes in 2014. In essence, this attack utilizes a crafted URL (typically with a PATH_INFO), to force the target Web page to load itself as a stylesheet, when it contains both-relative stylesheets and attacker-controllable contents.

In June 2015, MBSD conducted a research on this topic and discoverd some new attack techniques. In this paper, we first describe path manipulation techniques specific to some client / server environments in the next section. Then, some miscellaneous technical topics are described; a technique to forcefully enable IE's CSS expression using CV, attack possibility on non-stylesheet relative URLs, and a related vulnerability discovered in CakePHP framework. In the next section, countermeasures are described.

Note that this paper is not an extensive or detailed guide of RPO, but is focusing on new techniques on it. More extensive and detailed information on RPO can be found in the original blog post and PortSwigger's blog.

Click to download▶


Identifier based XSSI attacks

Cross Site Script Inclusion (XSSI) is an attack technique (or a vulnerability) that enables attackers to steal data of certain types across origin boundaries, by including target data using SCRIPT tag in an attacker's Web page as below:

<!-- attacker's page loads external data with SCRIPT tag -->
<SCRIPT src="http://target.example.jp/secret"></SCRIPT>


For years, XSSI has been known among Web security researchers that JavaScript file, JSONP and, in certain old browsers, JSON data are subject to this type of information theft attacks. In addition, some browser vulnerabilities, that allow attackers to gain information via JavaScript error messages, have been discovered and fixed in the past.

In 2014, we conducted research on this old topic and discovered some new attack techniques and browser vulnerabilities that allow attackers to steal simple text strings such as CSV, and more complex data under certain circumstances. In the research, we mainly focused on a method of stealing data as a client side scripts's identifier (variable or function name).

In this paper, we first describe these attack techniques / browser vulnerabilities in the next section and then discuss countermeasures for these issues.

Click to download▶


Attacking Android browsers via intent scheme URLs

Intent scheme URL is a special type of URL which enables Web pages to launch activities of installed Android apps. Most of the major browsers for Android support intent scheme URLs.

In general, intent scheme URL brings security risk, as it gives malicious Web pages a chance to conduct intent-based attacks against installed apps. Therefore, browsers takes measures to reduce the risk but these measures are not necessarily enough.

In this report, we will first explain what an intent scheme URL is, then we present three examples of Android browser's vulnerability related to intent scheme URL (including cookie file theft and universal XSS), and lastly we show the countermeasure for these vulnerabilities.

Click to download▶


FilterExpression Injection attacks against ASP.NET applications

FilterExpression is a SQL-like filter language built in ASP.NET framework. Like SQL, injection attacks are possible if an application utilizes FilterExpression in an improper manner, which can result in data leakages under certain situations. We call such vulnerability or attack “FilterExpression Injection”, and we’ll present its mechanism, impact, detection method and countermeasure in this paper.

From a viewpoint of pentesters, FilterExpression Injection is troublesome, because it looks almost the same as SQL Injection at a glance. We think that it is necessary for pentesters to understand the mechanism of FilterExpression Injection and to distinguish it properly from SQL Injection, in order to avoid wasting time for pentest and to evaluate risk of detected issues more accurately (usually the risk of FilterExpression Injection is lower than that of SQL Injection).

Experienced security folks may already understand what FilterExpression Injection is like, but we decided to publish this paper since there is little information about security of FilterExpression on the Web.

Click to download▶


HTML5セキュリティレポートHTML5セキュリティレポートお問い合わせはコチラ

 現在、主要なWebブラウザはHTML5に対応しており、多くのWebサイトにおいてHTML5を用いたコンテンツが動作しています。GoogleやAppleをはじめとするプラットフォームリーダには高い次元で独自仕様を生み出すかといった戦略を提供することになりますが、セキュリティ維持の観点ではHTML5の市場動向を見極めつつも、スマートフォン向けのアプリの多くがHTML5で開発されたWebアプリケーションに置き換わる可能性が高いものとして開発を進めていくことが肝要となります。
 本書はHTML5のセキュリティについて、概要・脅威を幅広く捉えながら、機能については実機で検証を行い具体的なセキュリティ対策を網羅的に解説した調査レポートです。(約180ページ)
詳細は コチラ▶

html5

Android調査レポートAndroid調査レポート購入はコチラ

 Androidは、スマートフォン・タブレット報端末で利用されている、Linuxをベースに開発されたオープンソースのOSです。
 本書は、Androidの利用動向、Androidに潜む脅威、Androidのセキュリティ課題、Androidのセキュリティ防衛手段について、Android固有の性質・特徴を念頭に置きながら、具体的なセキュリティ対策を網羅的に解説した調査レポートです。(約150ページ)
本書は こちら(株式会社イードのWebサイトへ移動します)から購入できます。
詳細は コチラ▶

html5

ページトップにページトップへ


company_side space

所在地

本店:

〒103-0013
東京都中央区日本橋人形町
1丁目14番8号 郵船水天宮前ビル6階
地図はコチラMapはコチラ

TEL : 03-5649-1961(代表)


赤坂オフィス:

〒107-0052
東京都港区赤坂2丁目17番7号
赤坂溜池タワー9階
地図はコチラMapはコチラ

TEL : 03-5575-2171

三井物産セキュアディレクション株式会社

MBSDロゴ

サイトマップ