Giving in.

I am somewhat bummed out to announce that I am now an owner of an iphone 4s.  I recognize that’s not something normally worth of grief– so I should explain.  If you’ve ever met me, one of the things I don’t pull any punches with is my disdain of Apple.  With out going into a long history of grievances, lets just say I don’t see eye to eye with much of how they operate.  I made the mistake of reading “iCon”, a biography on Steve Jobs*.  Since then, I had effectively vowed not to do business with the man or company.

But here I am, buying an iphone.  wth.  I expect that this decision will get me countless amounts of teasing from my friends– but that’s okay.  Perhaps I deserve it.  I got the phone because it’s the best on the market, is kind of a depressing statement of the market.  I’ve had a windows phone 7 developer phone on loan for some time now.  It’s a great phone, but it’s a developer/beta phone and has lots of ‘quirks’ that don’t make it viable for long term (I am also switching carriers).  That said, I love the phone.  It’s decently powered, with an okay camera, and leaps and bounds better than the windows 6.5 I owned before that.  Also, being a long term .net developer, the idea of writing my own software was kinda neat.

So my hope was to find a nice new windows phone 7 device.  With verizon, however, there is currently only the trophey.  While this is an okay phone, if I am going to have a phone for at least two years, I want it to be top grade.  My phone is a valued tool for my work.  I started to look into what was coming out, and was very excited about the HTC Titan– at first.  The reviews I read said over and over the same thing– good phone, but old news.  The specs for memory were not good, the processor was a single core, and comes with a small amount of hard disk space.  The biggest drawbacks where it’s bad resolution on the screen and it only boasts a 720p video recordings… something I do a lot of with my kids.

As much as I love the windows phone 7 OS– I can’t justify waiting 2 months to purchase yesterday’s technology.  It doesn’t make sense.

Which left me to decide between the droid bionic and the 4s.  The droid and 4s had very similar specs over all, except the droid is like a brick in your pocket.  I’ve had brick in pocket phones before, and I just can’t go back to them.  I mean, the droid could swallow my current phone it was that big.  The final clincher was omnifocus.  Work provided me a mac book pro**, and I’ve fallen in love with omnifocus.  It helps keep my otherwise cluttered brain reasonably straight.  Having it on my phone and syncing to laptop is a total win.

So that is the story.  I could try and justify it any other way, but men hold themselves accountable for the decisions they make.  I bought the phone because its the best on the market and it makes the most sense.


* This does not mean that I am an advocate for Gates either– but the differences are indeed fairly large tween the two.
** The mac book pro I’ve had for the last year has literally been the worst computer I’ve ever owned.  It was unstable, crashed frequently (including my Defcon talk), and just was bad news.  I recently brought it in, as it’s likely due to a bad video card.  The new laptop has not crashed on me yet, though ironically the MS office suite seems to be unstable as late.


Breaking Non-Existant Code

I recently ran into a fun problem that stumped me for about 1/2 hour.  I had found a value that I could control in the query string, which would put data inside a “onmouseover” attribute on an href tag.  So something like:

url:          ?myvalue=”xxxx
html:      <a href=”#” onmouseover=”par=window.parent;par.call_function(‘xxxx‘);”>test</a>

normally, one would escape this by setting the “myvalue” parameter to:


which when injected would terminate the call to my_function and inserts my alert box*.

<a href=”#” onmouseover=”my_function(‘x’);alert(document.cookie);(‘x‘);”>test</a>

This is pretty straight forward, tried and true.  Except, in the case of this test, the my_function function doesn’t actually exist.  This particular page was expected to be called from an iframe, and it’d walk back up to the parent to call a library the parent has loaded**.  In short, this means that due to a bug in the actual page, my attack wouldn’t work because JS would stop processing after the failed call to my_function.  Suckage.

But not all is lost.  To get around this normally, we just need to inject ourselves earlier into the page’s process before the page can call the missing function.  One could try:

x’);”/><script>body.onload = function(){ alert(document.cookie); } </script><a href=”#” onmouseover=”(‘x

which results in:

<a href=”#” onmouseover=”my_function(‘x’);”/><script>body.onload = function(){ alert(document.cookie); } </script><a href=”#” onmouseover=”(‘x‘);”>test</a>

In this payload, we end the onmouseover and include our own script tag.  In this tag, we override the onload behavior of the body***, which would allow our alert box to execute before JS has a chance to later fail.  The Javascript after that is just a nicety to prevent the html from being malformed.

Except, yet again we were foiled.

In this case, the developers were actually encoding the ” character, so I couldn’t break out of the function call to do this.  Normally this might be end game; but never fear, order of operations prevails in the end.

q: In general programming theory– before a function can be called, it first has to what?
a: Process it’s arguments.

To get my payload to execute, despite the fact that my_function() doesn’t exist, I merely have to make my attack an argument to that function.  In other words, unless you pass a reference to a function (or a proc itself), the application will have to first process that call before it can call the function it’s being passed to.  The end payload is:


which results in:

<a href=”#” onmouseover=”my_function(‘x’,alert(document.cookie),’x‘);”>test</a>

In this example the alert box’s results are to be passed to the non-existant function, which processes my payload.  If this was anything more than a POC, you’d do something far more nasty, such that the end user would never see the broken code.  Because, for all intent and purpose, you fixed it for them.  How nice of you.

This topic of fitting is something I will be talking more about in my BSidesDFW talk coming up in November.

* for anything other than this post, you’d generally want to grab the session details and send them to a 3rd party host, and maybe even redirect the user to the login page so you could try and login as them shortly there-after.  But that code just makes this code less clear, so we went back to a trusty old alert box.

** the code itself calls into the parent window and loads it to make the function call.  But, because that’s more than needed I omitted for clarity sake.

*** you can override the body, document, or window depending on what you are after.

Of all the things I’ve lost…

A funny thing has dawned on me recently.  During the course of an average day, I read code at least 2 to 3 times.  Sometimes it’s to quickly evaluate read a plugin I’ve downloaded, sometimes it’s to do a thorough review, and sometime’s it’s just because I want to know how something works.  I even have been spending more time with languages that I hadn’t looked at in years.  But.  I haven’t written a real application* in over a year.

Don’t get me wrong, I script a fair bit… I did so a little bit this weekend, in fact.  But it’s hit me how much it’s dissimilar from actual programming.  Most of my scripts are quick tools to reach places that are too hard to set up macros for, or to parse out some text I want to use later.  I haven’t sat down and designed, built tests, implemented, fixed API and released code in well over a year.

And that feeling burns.

I spent well over the last 12 years of my life writing code.  Not always to the best of quality, mind you– but with lots of focus, energy and general zeal.  Toward the last few years of my development time, I was actually getting fairly sharp.  I had studied how language affected API development, and had some really nerdy insight into how the CLR and other .NET goodness worked.  I could imagine something, draw it out, write it and get it working pretty quickly.  I was a good engineer.

Now, I am fumbling over a little project I started over 3 months ago– for no real good reason.  A part of me thinks it’s because I am attempting to program it in a language I’ve not written a medium-sized app in before.  Another part of me thinks it’s because I have so many half-baked patterns in my head that I can’t seem to find one that fits the way I want.  Another part of me, perhaps just my demons speaking, feels like I am getting old and dull.

Either way I slice it– I must finish this code, I think.  It’s a “moral imperative” as some geniuses I know might say.

* I did write a version of pywebfuzz in ruby so I could quickly grab payloads– but I can’t and won’t release it in its hacky shape.

Rapid Exploitation

Where ever you put your mind, there you are. – K. Slatoff

The world around you is complex, rich, and quite frankly a bit overwhelming if you tried to take it all in at once.  So much in fact, that your brain can’t make sense of all of it at once.  The very process of trying to observe/analyze the world, takes you away from the experience and filters out much of what is there.  Focus causes other things to be ignored because it’s so much more than we can handle.  Luckily– we don’t generally have to.

The bits and pieces that we actually focus in on give us what we need to decide what needs to happen next.  This is the natural premise that John Boyd outlines with his OODA loop.  We experience the world through this process of pulling in intel, figuring out what needs focus, deciding what to do and then acting upon it.  Often the action we take is to obtain supplemental information allowing for better insight to decide and to act against.  The military, especially the Marine corps, have invested a huge amount of effort and strategy around this OODA concept.  It’s the heart blood of maneuverability warfighting.

For me, I’ve been trying to extract the principles and concepts of this warfighting methodology into my work.  I’ve been retooling my testing approach to be more rapid, strategic, and natural.  I’ve already discussed how certain targets make more sense from a breaching perspective, but I’ve also recently come to believe that most information collected outside of those targets isn’t tremendously useful.  In fact, though some might call this heresy, I think most methodology I’ve reviewed is tremendously flawed as it pertains to information gathering.  It seems that nearly all approaches suggest this massive up front effort, and then wants you to weed your way through it to discern what is vulnerable.  The waterfall approach works only in limited scenarios for building software, not sure why we think it’d work for testing it.

“The purpose of analysis is not to understand the universe, but to direct you toward focused action” – flawless consulting

Consider then how your body works naturally.  If you flood it with too much information, you can’t act against it.  You quickly become overloaded with noise which distracts you from being able to orient, decide and act against it.  Yet most methodologies point you to some form of “application mapping.”  On the surface, having a collection of every single possible fuzzable parameter seems enticing.  But in reality– what do you plan on doing with that list?  Would it make sense to turn on every tv in your home, every radio, and try to listen to a single song?  With out any context, how could you possibly know which of those parameters are control points?  With out any context, are you really planning on throwing every single payload in fuzzdb against it?  Without context, how would you be able to tell if a simple modification to those payloads would make all the difference?  The short answer is you can’t, or at least not very well.  Some people call this thorough… I think it’s mostly an expensive waste of time.

What if I instead started a test by focusing on one strategic vulnerability, directory traversal.  I like start here because if I can accomplish this, I have the potential for turning the test into an involuntary code review.  I would no longer need a kitchen-sink extraction of all data– I merely want to answer three questions: where, how, and if it’s vulnerable.  For the where of it, I’d hunt for file upload and download functionality.  I’d look for how files are served, especially around dynamic content.  Then I would move on to testing out the component’s “happy path”– what should this component normally do.  After watching the successful flow of a handful of pages, I should have enough of “how” to start testing abuse cases.  I’d focus first on tests to see how different input is handled, and watch how the application behaves to unexpected things.  Each test I do provides me with answers I needed to move from one stage to the next to the next.  Everything has a functional, pragmatic purpose– no wasted movement.

If directory traversal didn’t exist– so what?  I’ve still learned a great deal about the application and how it works.  Because I was gathering information as I went along, that information can be re-applied to the next attack– maybe SQL injection– which would also teach me more about the application.  I continue through my direct breaching points, because they might allow me to shortcut solving my visibility issue, until I am done.  Even if they all failed, I bet I’d end up with more concrete understanding of how the application works than if I had gone the other route.

I’d also bet that most people naturally gravitate toward this. Though, from an academic perspective, other approaches seem well thought out– in practice I have found them to be stifling and often wasteful.  Fortunately I get to dogfood my concept every day– and I can say the benefits have been very useful.  Starting with tests that immediately affect the system gives you initiative and concrete experience.  If they are successful, they give you visibility not otherwise possible.  Using a natural strategy designed NOT to overwhelm your mind is also pretty great too.  Working exploits teach you so much about an application– so why not streamline your approach to them?

One last thought– even in one of the best dossier’s I’ve seen put together on attacking a specific site– the focus was only on gathering information relevant toward specific actionable attacks.  The other information was irrelevant toward that goal, and subsequently not-needed.

Food for thought.

Defcon Fellowship: Retrospective

So now that things have settled down a bit and I finally have my feet underneath me, I wanted to give thanks.  The defcon fellowship event turned out to be a huge blessing.  About 15 people came in total, and we did exactly what we said we would– fellowship.  We gave thanks for our food, shared a meal, and learned about each other’s lives.  I met lots of new people, saw some old friends, and had some great conversations.  I am encouraged with the turn out, and hope to continue this basic concept in other conferences.  At the very least, I plan on doing this again at the next defcon as well.

Thank you all who came, I look forward to seeing you again throughout the country and hopefully again next time we do this.


Defcon Fellowship Update

As outlined here* Christian hackers from all over the world are getting together to fellowship and get to know each other at Defcon 19.  After looking around at a few places, we will be meeting at the Carnival World Buffet inside the Rio itself at 10AM on Sunday 8/7.  This should mitigate any need for people to travel and cover a wide range of dietary needs.

PLEASE contact me at if you plan on attending, so I can make sure there is room for all of us.

* As a point of clarity, when I mentioned breaking bread I meant it only in the eating food together– not the taking sacraments.  This is a non-denominational based Christian event, if you define yourself in Christ– please consider coming.

Severus Snape – RIP

As the Harry Potter movies come to an end, I am struck with a sense of just general disappointment. Don’t get me wrong, the movies were fantastic creations for what they were. I would even go as far as to say one of the best series made, especially for as many. But that said– the last 2 movies underlined how different they were from the series. If you’ve not read the books, you’ve missed out on great things.

It makes sense to me that the needs of a movie and the needs of a book take two shapes. But giving Snape 15 minutes of explanation grossly misses the point.  He was as important an character as Dumbledore, braver than Potter, and in my opinion, the most relatable in the series.

I’ve never been the “chosen one”– nor have I ever been friends with one. I’ve not had to physically battle against a rising super villian either. My parents weren’t killed in tragedy, nor were they death eaters who raised me spoiled. I have however, been in love– and I’ve been crushed by it too. I’ve run away to dark places in life– and I was redeemed and saved.  Also by love. Snape, however, is the poster boy of that story. The love of his youth, no, of his entire life– fell for another. To add insult to injury to his rival as well. In his grief he fled. But, in their death, Snape took on the task of protecting the child born to them. A task which would ask him to kill his best friend, to be publicly shame, to spy on the most dangerous person in the world, and then eventually die for it.

Snape is the anti-hero of this series. He is the man who doesn’t dazel. The monsters he faced were inside, and though he was never free of them– he faced them. I mean think of it, most of us would run away. We’d not want to face the humility of being in a job less than our skills. We’d not want to take part in the raising of the boy of the man who stole your love from you. You’d likely never want to step foot in hogwarts at all. Most of us run away from things lesser things like this, every, single, day. But not Snape. Snape triumphed in the places that scared him.

His character in the books was so much more than that of the series. Numerous times in the books has he personally saved and helped Potter and crew.  He killed his dearest friend, out of mercy, despite the hardships he would come to endure because of it.  During the time as headmaster, he worked to keep the children safe– though most hated him for it. He continued to support Potter– and guided him (at great personal risk) in his journey. He saved many lives, and acted as pivotal part of the downfall of voldomort. Snape is worth more than 15 minutes– he is at the heart of the series itself.

To this I conclude,

The world may not fall in love with a man like Severus Snape, but it surely needs more made of his quality. Who, in love, endured and lived for the sake of others despite all the hardships that come along with it.  I hope that in your death you are found whole, and in life you are remembered for the hero you are. Though but only a character in a book and movie– you will always remain in my heart as one of the best even written.