Beau Woods and I participated on the last episode of the podcast The Hacker Mind. We had a great time chatting about IoT security and our latest book Practical IoT Hacking.
Category: Uncategorized
OWASP LATAM TOUR 2020 MX
Nos vamos a modalidad 100% online. Próximamente más noticias.
BLE captures taken with Nordic device not shown correctly on Wireshark?
Go to Preferences -> Protocols -> DLT_USER -> DLT Table and add a new entry for DLT User 10 (DLT=157) with Payload protocol value as “nordic_ble”. This fix also works with captures from other sniffers, simply adjust the Payload protocol value. For example, Ubertooth captures needs DLT=147 set to btle.
Tips for testing OWASP MSTG-STORAGE-5
MSTG-STORAGE-5 states right now:
Overview
When users type in input fields, the software automatically suggests data. This feature can be very useful for messaging apps. However, the keyboard cache may disclose sensitive information when the user selects an input field that takes this type of information.
Static Analysis
In the layout definition of an activity, you can define TextViews that have XML attributes. If the XML attribute android:inputType is given the value textNoSuggestions, the keyboard cache will not be shown when the input field is selected. The user will have to type everything manually.
<code><code><code><EditText android:id="@+id/KeyBoardCache" android:inputType="textNoSuggestions"/> </code></code></code>
Source Code Auditing Tip
But… wait. Are you just looking for the string ‘textNoSuggestions’ when doing static analysis? Don’t forget to also look for ‘InputType.TYPE_TEXT_FLAG_NO_SUGGESTIONS‘ as the input type can be changed dynamically from an Activity. If you are only looking at the XML attributes of Layouts, you are missing out apps that dynamically change it..
Patch coming
By the time you read this my patch to the official OWASP MSTG repository clarifying how to detect it with static analysis better is probably merged. However, you could have read it here first.
Quick notes about Azure Table Storage Injection in Windows Azure Mobile Services
One beautiful afternoon you come across the popular Azure Table Storage service during an assessment. Shit, a NoSQL service hosted on Azure. It must be secure right?Well, again it is up to the developer’s implementation and unsurprisingly, it is possible to use SQL injection (NoSQL injection?) to extract more data than intended if the developers failed at sanitizing parameters.
How do you identify this service?
- Look for apps sending requests to *.azure-mobile.net
- Requests sent to /tables/
- Requests containing the operators shown next included in the request variable ‘filter’
What operators can you use to extract information?
Extract information from other tables using the following supported comparison operators:
- eq (Equal)
- gt (GreaterThan)
- ge (GreaterThanOrEqual)
- lt (LessThan)
- le (LessThanOrEqual)
- ne (NotEqual)
I hope you find the operators reference useful and remember to stay on the hunt ;).
Reference:
Querying tables and entities: https://docs.microsoft.com/en-us/rest/api/storageservices/querying-tables-and-entities#supported-comparison-operators
Another IoT horror story
Last year a smart water bottle got into my hands, and of course, as a curious person I needed to check how secure it was… Unsurprisingly, it was not.
Stay tuned for the full write-up describing issues found in this product in the BLE implementation, the mobile application and more.
Welcome back
Back to regular updates over here. A bunch of the content seems to have gotten lost in the migration. I’ll check later what happened and try to get it back.
Descarga de "Detector de Puertas Traseras"
Finalmente hemos publicado la última herramienta de Websec para permitirle a usuarios checar fácilmente si su red tiene dispositivos vulnerables que pongan en riesgo su información. La herramienta checa las puertas traseras de los dispositivos más populares en MX y creemos que servirá muy bien en otros paises de LATAM. Los invitamos a descargarla!
http://www.websec.mx/blog/ver/detector-puertas-traseras-websec
]]>Mac2wepkey HHG5XX version 15 is out!
Changelog
- Detection list grew 51%!
Download
https://play.google.com/store/apps/details?id=mx.websec.mac2wepkey.hhg5xx
]]>Detector de Puertas Traseras [BETA]
Pronto liberaremos una herramienta para detectar puertas traseras en módems populares en MX (También sirve para otros países de LATAM que tienen infraestructura similar a la nuestra), si estan interesados en ser beta testers registrense en la siguiente dirección:
http://www.websec.mx/blog/ver/Registro-Detector-de-Puertas-Traseras
