Archives August 2021

Lets get right into it and explain what an Open Redirect Vulnerability is. This vulnerability is when a target visits a website and that website sends their browser to a different URL, most often a different domain. This can be the result of a phishing attack or a stored value. This kind of sneaky redirecting can trick people into believing they’re submitting information on a valid website. But really they just gave their login creds to a malicious actor. That’s what an open redirect vulnerability is. Now in our current day and age it doesn’t sound that scary. And some companies view them as so low that rewards aren’t offered for them in bug bounties. Google being one case of this. OWASP, which is focused on web security removed open redirects from its top 10 way back in 2017.

How Redirects work

Open redirects occur when an application trusts user-controlled input to redirect to another site. Like in the case of a URL parameter, DOM window property, and/or HTML meta refresh tags. Redirects have a very valid use case in the world of websites when used as intended. Redirects are used when moving content to a new URL, when deleting pages or when changing domain names or merging websites. When you have to use them, make sure to follow these best practices: Avoid chained redirects: one redirect should not forward to another redirect. Below is an example of a redirect using the URL parameter.

https://www.google.com/?redirect=https://www.gmail.com

In this example you can see that the domain google is redirecting to the domain gmail. In this case you are getting what the developers where wanting. This same thing can be done with a php header redirect function so that it never gets to the chance to be manipulated. But sometimes it isn’t going to be a permanent redirection or the developers don’t have access to redirect something from the backend side. That is why javascript and HTML meta tags are used for redirects as well. Here are a couple of examples of what they look like.

JavaScript:
window.location = https://newurl.com/

HTML meta tag:
<html>
  <head>
    <meta http-equiv="refresh" content="0;URL=https://newurl.com/">
  </head>
</html>

What is so dangerous about Open Redirects

Now that we’ve covered what a redirect and an open redirect are lets get into the damage they’ve caused in the real world. Phishing is a major go to when abusing this vulnerability. Most email security solutions aren’t built to validate is a URL is malicious in real time. What they do is they have a list of bad URLs identified ahead of time. This is what happens to throw away URLs that threat actors use. Now keeping that in mind links created by threat actors have a short life span. But if they find an Open Redirect Vulnerability on a trusted website they can leverage the link longer.

Google’s DoubleClick

Google DoubleClick is the advertising technology that provides deep analytics and insights for marketers to more effectively advertise based on the behavior of users. DoubleClick has been known to maintain this security vulnerability dating back to 2008, following the acquisition by Google. Since then, the open redirect and the vulnerabilities this type of access poses has not been addressed. Even in 2014, a known malvertising campaign was identified using doubleclick.net.

The structure of the open redirects within the phishing campaigns identified by the GreatHorn Threat Intelligence Team are all similar, whereby the attacker adds in the “advertising URL” (seen as “adurl=”) to redirect the user to the destination site, that appears as a legitimate site, but in fact is malicious. To note, an attacker does not require a DoubleClick account to develop the redirect. Instead, anyone can modify a DoubleClick URL and change the redirect.

http://googleads.g.doubleclick.net/pcs/click?adurl=https%3A%2F%2Ftm74k.codesandbox.io/YnJlbnQucmFnc2RhbGVAY2hpY2stZmlsLWEuY29t&c=R,6,65f05392-f8de-4117-b270-51af0e396896E,&typo=4

Between Q1 2021 and Q2 2021, the use of Google’s DoubleClick platform to send malicious links increased 141%.

Google’s Meet

Google Meet teleconferencing is a highly used and recognized service, commonly used and included in any subscription to Google Workspace. In fact, during the 2020, Google reported over 100 million daily Meet meeting participants. And, because of the widespread use and trust associated with the #1 brand on the market, leveraging the option to apply an open redirect became a commonly used practice by threat actors. Between Q1 2021 and Q2 2021, the use of Google Meet platform to send malicious links increased 57%.

The structure of the open redirects within phishing campaigns are all similar, whereby the attacker adds in a “link redirect” (seen as “linkredirect?”) to tell the browser what destination site the user should go to. Unfortunately, using the domain of “meet.google.com/” appears as a legitimate site, but the destination site found after the “dest=” in the URL parameter is malicious.

https://meet.google.com/linkredirect?authuser=0&dest=https%3A%2F%2Fglowforge.chargebee.com%2Fsubscriptions%2F31441895%2Fdetails

Final thoughts

The difficulty of this attack is as simple as finding the redirecting functionality of a site. And in this day in age almost every site does it. While this type of attack doesn’t have much of an immediate impact on the company itself it can be damaging to the reputation of the company. Not to mention the headaches of getting a valid URL removed from a blacklist of know bad URLs. Besides validating all data before preforming an action (which should be done regardless) giving a simple popup saying the user is leaving the site is a simple warning to protect users.

First things first lets get right into what a bug bounty is. When a company or group wants to get real world pentesting of there application or system they start a program. These programs describe the rules of engagement so hackers can preform a pentest ethically. This in its simplest way a Bug Bounty. A bug bounty is different then a Vulnerability Disclosure Program (VDP). VDP is just the process or way a company lets security minded people submit finds they have discovered. One other main difference between the two is that a VDP rarely if ever will give the researcher any more then swag or hall of fame shout out. The swag being company type goodies like mugs and stickers. The hall of fame shout out will normally come with a link to a place of the researchers choice (github, twitter, or personal website).

Why would a company pay to get hacked

Now that we have covered what a bug bounty is why would a company want to spend money to have strangers attack their assets? Top reasons for this is that they get access to a vast pool of talent dedicated to finding the vulnerabilities the companies internal team missed. Believe it or not security isn’t seen as a value adding thing so a lot of places think security can be sprinkled on top instead of needing to be baked in from the beginning. But for companies that see the value they use bug bounties as a recruiting tool. So keep that in mind as you start your bug bounty journey once you get good its great part time cash that can lead to full time work.

What a company needs to start a bug bounty program

Before a company starts a bug bounty program they need to define a few things for the hackers.

• What is the scope of the program:
  • This is the list of things in bounds of the program. Things that are included are eligible for monetary rewards they can be stuff such as what urls, OSI stack levels, specific functionalities.
• What is the company focus:
  • What is the main thing the company is trying to get out of the program. At the end of the day they have a goal be it to harden a system or functionality. Clearly defining the goal will direct the most effort towards fulfilling the goal. If you want the payment gate way tested the most telling people will stop most from poking around the about us page.
• Environment to test:
  • Is the program going to be run against the production site/servers or is it going to be a development/mirror site/server. When ever possible its best to use a mirror site/server that matches production as close as possible. Just using development assets might seem tempting it is going to be to unstable to be reliable tested against. The vulnerability might be the result of someone pushing a buggy feature that won’t make it to production. This also makes it harder to verify the vulnerability is valid.
• What type of attacker is the company looking for:
  • This isn’t to say the company is looking for a hoodie wearing, energy drinking, black background green text hacker (But for the record all my terminals are just that and I won’t apologies). Companies need to focus on the threat actor they are worried about. The three main types are black hat, gray hat, and white hat. Knowing how much insider info to give a program is a very important question. If a white hat tester is needed then the program should be focused on invite programs only.
• Should the program be invite only:
  • As mentioned in the last point invite only programs have benefits. The last example given was that a white hat needs a certain level of inside information/access to be successful. Invite programs can be literal invites on a person by person bases or on a set of criteria. The criteria being that a number of bug bounties have been done before, rating on vulnerabilities found in the past, or in some cases done special CTFs on a site.

Where to find these bug bounty programs

Now that you have a basic understanding of what a bug bounty program is and the use of it the benefits lets talk about where to find them. While you can check or contact a company directly to find out if they have a program in place the most common way is to join a bug bounty site like HackerOne. Below are a couple of of the top bug bounty platforms that are perfect for beginners and seasoned hackers looking for a side hustle.

HackerOne

You can earn cash hacking on bounty programs with this platform. Hackers have earned over $150 million through the HackerOne platform. HackerOne was started by hackers and security leaders who were driven by a passion to make the internet safer. Their platform is the industry standard for hacker-powered security. They partner with the global hacker community to surface the most relevant security issues that companies face before they can be exploited by criminals. HackerOne is headquartered in San Francisco with offices in London, New York City, Singapore, and the Netherlands.

Bugcrowd

Bugcrowd incentivizes uniquely-skilled hackers to continuously test companies critical targets and applications. Whether it’s a complex issue that’s flown under the radar, or something new introduced with the latest release, Bugcrowd has it covered. Bugcrowd’s global community of hackers have unique skills and perspectives needed to solve tough security challenges. Bugcrowd helped pay over $2 million to researchers for a Samsung Mobile reward program last year alone.

Hackenproof

They are part of Hacken Ecosystem, with products fueling cybersecurity industry from all sides: bug bounty platform, crypto exchange analytical ranking platform, cybersecurity conference HackIT, and a Cyber School. HackenProof is headquartered in Tallinn, Estonia with an R&D office in Kiev, Ukraine.

Final thoughts on how to be a great bug hunter

I’m going to wrap this up with a few words on what it takes to get to being a great bug hunter. Because practice makes perfect you are going to need to be practicing in between bug bounty programs. Subscribe to online resources like this very blog and practice the things you read and learn about. Setup a virtual machine as a cheap home lab to test things on. I’ve created a post all about virtual machines that you can check out here. As most of the bug bounty programs are related to web targets, the “The Web Application Hacker’s Handbook” is a must-read book. Watch tutorials and videos related to hacking. “Bug bounty Hunting Methodology v3 – Jason Haddix” is a great example. And above all be patient. It will take time to find your first valid bug. Duplicates are everywhere!

Python Testing Why Should You Care

A huge shift has occurred in recent years of software development toward testing and ensuring that applications deliver absolute quality. With the advent of social networks and the ever-increasing pressure of media attention, defects in code could be costly to both the individual developer and the company reputation. Whether it be security flaws exposing sensitive customer data, defects that allow hackers access to deface your website, or simply a payment page failing to execute orders, errors can cost your business huge sums of money.

Don’t think of problems on only the large-scale, either. Without a proper testing suite in place, how do you know you have delivered the functionality you set out to deliver at the beginning of writing code? Take a simple data submission form. You have coded the fields to accept a name, address, and email, without any testing. You quickly entered the data as expected and your submit works fine. But what if customers enter something unexpected in the fields? Say for instance a number in the name field. Does the code handle this unwanted values? This kind of thing is what leads to some serious security issues as well as crashes.

You can certainly make great code without tests. The key advantage of writing tests is that testing gives confidence in code before it goes live. In some cases developers are on call to support applications in the middle of the night. Do you want a 2a.m. alert because someone missed an obvious issue after the fact. The other major benefit of testing code is ownership roll over. People come and go and the first person to build something, as time goes on, actually touches it less then the scores of devs that have to wrestle with it down the road.

Fundementals and best practices

Before jumping into the process of writing tests, a good idea is to take some time to get your machine in order and up to date with the tools you will need to proceed. First, make sure you have the correct version of Python installed. Then set up some of the basic tools Python developers use on a daily basis will mean you can easily follow the rest of the steps described here.

Linux

Most Linux distributions come with some version of Python installed. If for some reason you don’t have Python, or perhaps you have an older version, you usually install using your distributions package manager. If Python is not available in this way, then you can visit python.org to download the source and compile it yourself.

Mac

Like Linux, Apple ships a version of Python with every version of OS X. Therefore if you are using a mac you should be all set by default. If you find you need to get Python on your machine for some reason, then you could install a package manager for Mac. Homebrew is lightweight installation, and the install scripts are written in Ruby you can find more information here brew.sh about it.

Windows

Windows is considered a bit out of scope when it comes to this writing as I’m not in the best position to offer advice for it. However, that doesn’t mean the code and advice described are not useful to a Windows user.

Writing Unit Tests

In unit testing, you want to cover the application’s functionality at its most basic level. Then test each individual units of code, typically a method, in isolation to see if given certain conditions it responds in the expected way. Braking testing down to this level gives confidence that each part of the application will behave as expected and enables the coverage of edge cases.

What Should You Test

When first looking into unit testing its natural to ask, what should I test? This is a fair question as applications that are being build nowadays are vast with many complicities. However, unit testing makes the task easier as the whole idea is to focus on the smallest units of code rather than thinking about how to test the large application you are putting together as a whole. Be warned tho as some make tests so focused that they break with data changes and not with functionality changes. Which is what unit testing is really looking to test. So a good rule of thumb to follow is test at the C.R.U.D.(Create. Read. Update. Delete) level and no lower.

Writing Your First Unit Test

I’m sure reaching to this part you are ready to start writing tests. The first example with show you how to structure your test into a class with the correct naming conventions. This will be a great reference area if you need a reminder on how to setup a new structure. The examples following that will be more of the snippets of test methods that will be used inside of a test class.

One of the classic examples for demonstrating unit testing is a small calculator program. Python includes a lot of basic math functionality in the library. This first scenario demonstrates how to implement the calculate class of of a simple calculator program.

class Calculate(object):
    def add(self,x,y):
        return x + y

if __name__ == '__main__':
    calc = Calculate()
    result = calc.add(2,2)
    print(result)

This is a very simple class that is just making use of Python’s built-in math function but we just need something so everyone starts with same footing. Save this code to a file named calculat.py, then execute the code. You should see the end result as follows.

$ python calculate.py
4

Now that we standardized code to look at lets get into writing a test for it. For this we are going to make a file called calculate_test.py, this follows the standard naming conventions of using the class name under test and appending the _test. Save it in a folder called test at the same level as the previous files level. This will be helpful when you have dozens of files that need to be tested in a single repo. Now for the code that goes into calculate_test.py.

import unittest
from app.calculate import Calculate


class TestCalculate(unittest.TestCase):
    def setUp(self):
        self.calc = Calculate()

    def test_add_method_returns_correct_result(self):
        self.assertEqual(4, self.calc.add(2,2))


if __name__ == '__main__':
    unittest.main()

For some this is a lot so lets cover it line-by-line. First imports the functionality you need from Python’s unittest module. We are also importing the class we wrote back in calculate.py, so we can test it’s method. We do this in the setUp method, which is executed before each test, so that we only need to define our instance once and have it created before each test. Then we can write our test and the standard is to append our test name with append_test and explain what the test is doing briefly in the rest of the name. Here we are checking if the add method returns the correct result. We do this by maing use of the assertEqual method provided by the imported unittest module. This checks if the first argument is equal to the second. In the example we just went over we are checking whether 4 is equal to the result of calling the add method in calculate.py with the arguments 2 and 2. In this case everything works out.

$ python test/calculate_test.py
.
------------------------------------------------------
Ran 1 test in 0.001s
OK

Useful Methods in Unit Testing

Below provides a quick guide to many different methods available in the unit test package. For each one, a description of its usage and an example are provided. All methods that take an optional argument, msg=None, can be provided a custom message that is displayed on a failure.

assertEqual(x, y, msg=None)
This method checks to see whether argument x equals argument y. Under the covers, this method is performing the check using the == definition for the objects.

def test_assert_equal(self):
    self.assertEqual(1, 1)

assertAlmostEqual(x, y, places=None, msg=None, delta=None)

On first glance, this method may seem a little strange but in context becomes useful. The method is basically useful around testing calculations when you want a result to be within a certain amount of places to the expected, or within a certain delta.

def test_assert_almost_equal_delta_0_5(self):
    self.assertAlmostEqual(1, 1.2, delta=0.5)

def test_assert_almost_equal_places(self):
    self.asswerAlmostEqual(1, 1.00001, places=4)

Following the PEP-8 standard

As you have been introduced to unit testing in Python, it should be clear that various patterns and standards are followed within the Python community. Some of them are enforced by tools you may wish to use, such as prepending a test name with “test_” to allow runners to keep readability and reuse of code high as it is shared between developers. It helps to give Python code a consistent look and feel that experienced developers are familiar with, and if teams adhere to the accepted standards then when developers move to a new Python project, many aspects of the code should feel familiar.

All Python developers code should conform to the standards outlined within the PEP-8 document. The document is one of the most famous PEPs (Python Enhancement Proposals) not to mention one of the earliest. PEP-8 focuses on the styling of code and puts forward some of the fundamental principles when writing Python code and tests, such as the following.

• Indents: Four spaces for each indentation
• Maximum line length: 80 Characters.
• Blank lines: Two between import, class, and function definitions. One between method definitions inside a class.
• Import statements: Should be one per line.
• Class names: Should have capitals for the first letter of each word.
• Method names: Should use all lowercase and underscores to separate words.

Unit Test Structure

When structuring a project, you can follow some clear standards to make an application’s code more accessible to other Python developers. These simple rules are easy to apply and result in an uniform structure to make it easy to find the test and code files needed.

• Unit tests should be placed under a test/unit directory at the top level of a project folder.
• All folders within the application’s code should be mirrored by test folders under test/unit, which will have the units tests for each file in them. For example, app/data should have a mirrored folder of test/unit/app/data.
• All unit test files should mirror the name of the file they are testing, with _test as the suffix. For example, app/data/data_interface.py should have a test file of test/unit/app/data/data_interface_test.py.

Going further

A lot has been covered here but it is by no means an exhaustive description on Python testing. Thing to look into from hear includes TDD (Test Driven Development), Acceptance Testing, writing testable documentation, Automating Testing, and Working on Public code. But for now this is a great place to start getting familiar with Python testing and how you can work it into your projects.

In this post we are going to delve into AES (Advanced Encryption Standard). We will cover everything from what’s good about it, how it works, and why it was judged “good enough” to the Standard for encryption.

How AES Works

This is going to be a bit of a rough ride if this is your first introduction to how encryption works down at a bit level. But hold on and I promise in time it will make more sense the more you read it. AES is a 128-bit symmetric block cipher. This means it takes 128 bits of a message and it encrypts it into 128 bits of ciphertext with a key. The key can either be 128, 192, or 256 bits and that gives you just varying amounts of security. And if you are thinking that 128 is weak it is only when compared to its 256 counterpart. Based off of other encryptions the 128 is still very secure.

So don’t worry about it if you find your browser is using the 128 bit version, theses were specified as part of the AES standard. Alright lets get right into it we’re going to be doing some amount of substitution or bringing in some confusion and some amount of permutation. Moving things around to add diffusion. You don’t want just like the Enigma machine to have one byte in one byte out because that would make it easier to analyze and proven historically to be the case. In stead of having a long line of bits or bytes like most ciphers might arrange things AES lies to arrange things in a grid. Making it a block cypher, which takes chunks at a time and encrypts them.

The grid that AES uses 4×4 grid of 428 bits (16 bytes). So we can have a message which is 128 bit as a 4×4 grid starting with byte 00 at the top left and filling the grid top to bottom left to right it will come out looking like the example bellow.

byte 00	byte 04	byte 08	byte 12
byte 01	byte 05	byte 09	byte 13
byte 02	byte 06	byte 10	byte 14
byte 03	byte 07	byte 11	byte 15

So using this example we’re going to start doing our SP network we’re going to substitute bytes and then transform them into some way where an attacker can’t read what the message used to be. There are a few different operations that AES will do. But remember everything in AES happens on the 4×4 grid described above. We are going to be diving into more depth but here is the main work flow of AES

• Plaintext
• Preform XOR using key and plaintext
• Entering into rounds
  • Substitute Bytes
  • Row Shifting
  • Column Mixing
  • Add round key

The most interesting thing at first glance is going to be the rounds. This is where the different bits we talked about comes into play. They are the determining factor of how many rounds you have. 128 bit key has 10 rounds, 192 bit key has 12 rounds, and the 256 bit key has 14 rounds. I’m not going to go into details about the key schedule as its effect is just meant to be fast. Basically with AES is just takes your shorter key and expands it sufficiently such that you can put it in at these different rounds.

How Secure Is AES 256?

If AES is the gold standard, 256-bit encryption is its poster child. With the longest rounds, the 256-bit key provides the strongest level of encryption.

It is near impossible to crack it even if brute force is applied – trying every combination of numbers possible until the correct key is found. The longer the key size, the more attempts are needed.

A hacker trying to crack a 256-bit key would need 2 to the power of 256 attempts to find the right key. Even if hackers use Tianhe-2 (MilkyWay-2), the fastest supercomputer in the world, it will take them a few million lifetimes to crack a 256-bit AES encryption.

The bottom line is, entities that face threats from all directions, like the U.S. Military or your Office 365 that stores business-critical information, need AES 256-bit protection.