Josh-CO Dev

Solving the worlds problems one line of code at a time.

Leave a comment

Severe Office 365 Token Disclosure Vulnerability

My organization is doing what many organizations that use Microsoft products are doing right now, and that is evaluating Office 365. I think it’s safe to say that the response from the Security team has been overwhelmingly that it is a bad idea from the get go, especially with the amount of confidential data that we have. On top of this, it is a lot more expensive compared to our internal, secure hosting that we are using now. Suffice to say, I was incredibly joyful when I stumbled across an article last night showcasing a severe vulnerability for Office 365. Check it out at: Office 365 Vulnerability

Now, this is being released because Microsoft is about to patch it, but it has been around since at least April, and most likely longer, and there are probably many other security issues as well. It’s always nice to see articles such as this when as Microsoft sales reps are constantly telling you just how secure everything is, how there are no problems, and it is just as secure as the internal hosting we’re using now. We all know it’s a line of bullshit, but it is nice to have the proper validation.


Leave a comment

Tools – SQLMAP

I decided to start sharing some of the tools that I use on a daily basis to perform my job, and one of my favorites is SQLMAP. SQLMAP is a command-line tool that is used for automatic SQL injection and database take over. It is built in python so it is available for any operating system that can run python.

The tool itself will support MySQL, Oracle, Microsoft SQL Server, MS Access, SQLite, and a few other database systems. Basically, if an application is important enough to have a database, SQLMAP can attack it. The tool can hit a url, a direct connection to the database, log files (such as Burp), config files, and many others. There are options to support proxies, cookies, specify injection points, etc. For a full list of options a switches consult the user manual.

It is also a great tool to use for demos. Quite often, I am invited to management level meetings to talk about application security and why it is so important. Like many things in information security, nothing is quite as convincing as giving a live demo.

If you would like to learn more about the product, go check it out at or the github project at

Please note that using this tool against any database that you do not own would generally be considered illegal. Please use at your own risk. There are several platforms that you can download to test a tool like SQLMAP in your own environment, such as SQLOL or DVWA but we will leave that discussion for a later time.

Leave a comment

SQL Injection with SQLMAP – DerbyCon 2013

Here is a great video from a presentation I attended at DerbyCon 2013 this year. It is a video demonstrating how to use SQLMAP to attack the SQLOL database and has a lot of good information. Later on, I will post some videos and demos of how to install this, make it work, attack the database, etc. Credit goes to Conrad Reynolds for putting together this presentation.

Leave a comment

Dr. Gary McGraw Software Security Keynote

Bug Parades, Zombies, and the BSIMM: A decade of software security!

I had the privilege of attending the HP Protect conference in Washington D.C. this year. I found it to be a great experience and I’ll see if I can’t get a write up of it going sometime in the near future. One thing that I did want to share was an excellent video from the software security keynote by Dr. Gary McGraw of Cigital. Very informative and entertaining.

Leave a comment

Defending Against Cross-Frame Scripting

Another type of attack that we haven’t talked about yet is cross-frame scripting. A cross-frame scripting attack is where an attacker will take a page of your site and embed it in an iframe. Some simple css can then be put in place to make it look like the site is actually yours rather than looking like an iframe. This might seem pretty harmless, but the hacker could include some malicious scripts to do things like capture the keypresses and send them to a web service on their real site. Some really good information can be found at OWASP.

Modern day, this attack is a bit trickier to pull off as cross-domain communication is generally blocked and it takes quite a bit of work to get around this. That being said, it can be done so you should treat this as a real threat. This also becomes a bigger insider threat as I could write an app that includes another dev’s site and then steal user credentials that way without having to worry about cross-domain issues.

So, how about the defense. Ready for this?

<META http-equiv="X-Frame-Options" content="Deny" /> 

That’s it! Just put that html in the header of your application and it will prevent your site from being rendered in an iframe!

Leave a comment

Another basic way to defend against XSS attacks

Another mediocre way to defend against XSS attacks is to encode or “escape” any input before allowing it to be handled by the interpreter. Here is a basic example of how to handle this in JavaScript. Use the same html as our previous example, then just paste this functions into your scripts.js file and rename the submit button to correspond to the event handler.

    $("#btnSubmit3").click(function () {

        var htmlToRender = "Welcome to our site " + escape($("#inputName").val());


This will strip out any special character so that they are not handled by the interpreter. In the below example, I tried to enter the following code:


And this was the result


Before, we saw that this actually caused an alert box to pop up on the screen. Making this one simple change allowed the statement to be ignored altogether.

Much like our previous defense example, this will not give you defense in depth, but it will give you a basic level of security that you may have never even thought you needed.