Cross Cloud Injection Vulnerability in multiple vendors leads to Persistent Remote Root ________________________________________________________________________ Global CWLS Alliance Virtual Security Research Team T.D. Dave Thu, 31 March 2011 22:22:15 UMT -0700 ________________________________________________________________________ [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution [*] Vuln Class Name: Cross-Cloud Injection [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection [*] Affected Platforms: Cloud, SaaS [*] Affected Vendor: Multi-Vendor [*] Threat: Requires Authentication, but Widely Deployed [*] Severity: High Risk [*] Ease of Exploitation:: Trivial (2-4 hours) [*]Release Date::  3.31.2011 [*] Issue fixed in version : Currently Exploitable [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team [*] CWLS VSRT: http://cwlsalliance.roxer.com/ ________________________________________________________________________ ::Overview:: A critical new cloud-based attack vector has been discovered by the CWLS Alliance VSRT (Virtual Security Research Team). Using this new attack vector it is possible for an attacker to comprise multiple cloud-based platforms and script the execution of arbitrary code infecting all users of these system. This new attack vector is being exploited by dynamically-generated APT that current antivirus/malware solutions are not yet able to detect. ::Description:: A new attack vector against public-cloud platforms makes it is possible for an attacker to compromise data in multiple vendors' private-cloud solutions via swod-niw family APT infection. The most common scenario is that the attacker will first gain administrative privilege access to one or more running application instances on a public cloud using techniques detailed below. The attacker will then modify this running application to host swod-niw family APT malware on the public cloud application. The APT malware uses a combination of Web 2.0 hacking techniques like CSRF and click-jacking to make calls to and access private-cloud infrastucture's web interfaces via legitimate private-cloud user's web browsers. While impersonating the user privilege of the logged-in browser, the APT will access and mine all data accessible to the private-cloud user. Additional activities detected including taking actions within the private-cloud application on behalf of the user. The exploitable platforms are multi-vendor and widespread, and we fear that attacks such as this have already become common. Due to the difficulty in monitoring for these complex, multi-step attacks, often using requests types not commonly logged, it is unlikely the majority of Cross-Cloud Injection attacks are being detected today. ::Exploit details:: 1. Malware: The attacker first creates an image to be deployed to a public cloud. This image typically includes an operating system like Windows, or shareware like Linux. And a web server. It will also include malicious web application content usually in the form of PHP web pages and/or SWFs, to be used in the data mining operation phase of the attack. 2. Deployment: Next the attacker will upload the image, often virtualized, to a public cloud. This typically requires authentication but in all cases observed the attackers have already gained access to legitimate userIDs and passwords. When these components are deployed together on a public cloud this scenario is commonly referred to as "APT" (Advanced Persistent Threat) 3. Phase One: Public-Cloud user Attack -- The attacker will take their malware and integrate it into Web 2.0 applications like Facebook under the guise of a legitimate application. Then APT is often disguised as an online game using farming implements and leveraging monotonous clicking to maximize the amount of time the user leaves the application running. This, as we will see in turn, increases the attack window of exposure allowing for deeper data mining by the APT malware running in the user's browser. Once the APT is on the social network the attacker waits for users to access it with their web browser. Once a user executes the application the second phase of the attack begins. 4. Phase Two: Private-Cloud user attack -- The APT malware will now attempt to access applications within the user's virtual private cloud. This often takes the form of the APT leveraging benign seeming features within the online "game", allowing the APT to access the user's email address book locally or ACROSS both Public and Private Cloud email and contact systems. If the user allows the malware to continue executing it is possible to mine all contacts from both Public and Private cloud messaging systems and begin replicating it's attack across all users. Additional potential and likely threats from this APT execution include: + potential to mine all data from all systems accessible via a web browser with both idempotent and non-idempotent web requests + set APT Spy-Cookies and Geolocating Tracking-Cookies ::Remediation:: There are no known immediate remediation steps available. Mitigations steps include: + Only use secure web browsers + Only use trusted, secure web applications + Disable Javascript + Disable dangerous plugins in the browser + Disable or remove any insecure web browsers you have installed to avoid accidental use ::Reference:: The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security Research Team responsible for discovering this new attack vector. Future updates can be tracked on the CWLS website using this unique identifier: CWLS Disclosure ID: CWLS20110104 APT (Advanced Persistent Threat): http://en.wikipedia.org/wiki/Advanced_Persistent_Threat Cloud Computing: http://en.wikipedia.org/wiki/Cloud_computing Cloud Security: https://cloudsecurityalliance.org/ (note there is a gap in information regarding Cross-Cloud security) Code Injection: http://en.wikipedia.org/wiki/Code_injection CWLS Alliance: http://cwlsalliance.roxer.com/

This is bullshit with a bunch of buzzwords. The process boils down to: upload malware to the web have users install malware as a facebook application malware steals data available to facebook application (or possibly, malware gets installed locally and does that thing malware does) also, malware might set cookies. How terrible. I don't think this requires "cloud" anything. Either this is a real threat that wasn't described at all, or it's someone puffing themselves up with vulnerability reports. Also, a free drag-n-drop project homepage? What's really going on here? -Paul On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate <tddavethepirate@gmail.com> wrote: > Cross Cloud Injection Vulnerability in multiple vendors leads to > Persistent Remote Root > ________________________________________________________________________ > Global CWLS Alliance Virtual Security Research Team > T.D. Dave > Thu, 31 March 2011 22:22:15 UMT -0700 > ________________________________________________________________________ > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution > [*] Vuln Class Name: Cross-Cloud Injection > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection > [*] Affected Platforms: Cloud, SaaS > [*] Affected Vendor: Multi-Vendor > [*] Threat: Requires Authentication, but Widely Deployed > [*] Severity: High Risk > [*] Ease of Exploitation:: Trivial (2-4 hours) > [*]Release Date::  3.31.2011 > [*] Issue fixed in version : Currently Exploitable > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team > [*] CWLS VSRT: http://cwlsalliance.roxer.com/ > ________________________________________________________________________ > > ::Overview:: > A critical new cloud-based attack vector has been discovered by the > CWLS Alliance VSRT (Virtual Security Research Team). > > Using this new attack vector it is possible for an attacker to > comprise multiple cloud-based platforms and script the execution of > arbitrary code infecting all users of these system. This new attack > vector is being exploited by dynamically-generated APT that current > antivirus/malware solutions are not yet able to detect. > > ::Description:: > A new attack vector against public-cloud platforms makes it is > possible for an attacker to compromise data in multiple vendors' > private-cloud solutions via swod-niw family APT infection. The most > common scenario is that the attacker will first gain administrative > privilege access to one or more running application instances on a > public cloud using techniques detailed below. The attacker will then > modify this running application to host swod-niw family APT malware on > the public cloud application. The APT malware uses a combination of > Web 2.0 hacking techniques like CSRF and click-jacking to make calls > to and access private-cloud infrastucture's web interfaces via > legitimate private-cloud user's web browsers. While impersonating the > user privilege of the logged-in browser, the APT will access and mine > all data accessible to the private-cloud user. Additional activities > detected including taking actions within the private-cloud application > on behalf of the user. > > The exploitable platforms are multi-vendor and widespread, and we fear > that attacks such as this have already become common. Due to the > difficulty in monitoring for these complex, multi-step attacks, often > using requests types not commonly logged, it is unlikely the majority > of Cross-Cloud Injection attacks are being detected today. > > ::Exploit details:: > > 1. Malware: The attacker first creates an image to be deployed to a > public cloud. This image typically includes an operating system like > Windows, or shareware like Linux. And a web server. It will also > include malicious web application content usually in the form of PHP > web pages and/or SWFs, to be used in the data mining operation phase > of the attack. > > 2. Deployment: Next the attacker will upload the image, often > virtualized, to a public cloud. This typically requires authentication > but in all cases observed the attackers have already gained access to > legitimate userIDs and passwords. When these components are deployed > together on a public cloud this scenario is commonly referred to as > "APT" (Advanced Persistent Threat) > > 3. Phase One: Public-Cloud user Attack -- The attacker will take their > malware and integrate it into Web 2.0 applications like Facebook under > the guise of a legitimate application. Then APT is often disguised as > an online game using farming implements and leveraging monotonous > clicking to maximize the amount of time the user leaves the > application running. This, as we will see in turn, increases the > attack window of exposure allowing for deeper data mining by the APT > malware running in the user's browser. > > Once the APT is on the social network the attacker waits for users to > access it with their web browser. Once a user executes the application > the second phase of the attack begins. > > 4. Phase Two: Private-Cloud user attack -- The APT malware will now > attempt to access applications within the user's virtual private > cloud. This often takes the form of the APT leveraging benign seeming > features within the online "game", allowing the APT to access the > user's email address book locally or ACROSS both Public and Private > Cloud email and contact systems. If the user allows the malware to > continue executing it is possible to mine all contacts from both > Public and Private cloud messaging systems and begin replicating it's > attack across all users. > > Additional potential and likely threats from this APT execution include: > + potential to mine all data from all systems accessible via a web > browser with both idempotent and non-idempotent web requests > + set APT Spy-Cookies and Geolocating Tracking-Cookies > > ::Remediation:: > There are no known immediate remediation steps available. Mitigations > steps include: > + Only use secure web browsers > + Only use trusted, secure web applications > + Disable Javascript > + Disable dangerous plugins in the browser > + Disable or remove any insecure web browsers you have installed to > avoid accidental use > > ::Reference:: > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security > Research Team responsible for discovering this new attack vector. > Future updates can be tracked on the CWLS website using this unique > identifier: CWLS Disclosure ID: CWLS20110104 > > APT (Advanced Persistent Threat): > http://en.wikipedia.org/wiki/Advanced_Persistent_Threat > > Cloud Computing: > http://en.wikipedia.org/wiki/Cloud_computing > > Cloud Security: > https://cloudsecurityalliance.org/ > (note there is a gap in information regarding Cross-Cloud security) > > Code Injection: > http://en.wikipedia.org/wiki/Code_injection > > CWLS Alliance: > http://cwlsalliance.roxer.com/ > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

I thought it was an April Fool's hoax myself...mostly because it mentioned APT. On 04/01/2011 09:47 PM, Paul McMillan wrote: > This is bullshit with a bunch of buzzwords. > > The process boils down to: > > upload malware to the web > have users install malware as a facebook application > malware steals data available to facebook application > (or possibly, malware gets installed locally and does that thing malware does) > also, malware might set cookies. How terrible. > > I don't think this requires "cloud" anything. Either this is a real > threat that wasn't described at all, or it's someone puffing > themselves up with vulnerability reports. Also, a free drag-n-drop > project homepage? What's really going on here? > > -Paul > > On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate > <tddavethepirate@gmail.com> wrote: >> Cross Cloud Injection Vulnerability in multiple vendors leads to >> Persistent Remote Root >> ________________________________________________________________________ >> Global CWLS Alliance Virtual Security Research Team >> T.D. Dave >> Thu, 31 March 2011 22:22:15 UMT -0700 >> ________________________________________________________________________ >> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution >> [*] Vuln Class Name: Cross-Cloud Injection >> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection >> [*] Affected Platforms: Cloud, SaaS >> [*] Affected Vendor: Multi-Vendor >> [*] Threat: Requires Authentication, but Widely Deployed >> [*] Severity: High Risk >> [*] Ease of Exploitation:: Trivial (2-4 hours) >> [*]Release Date:: 3.31.2011 >> [*] Issue fixed in version : Currently Exploitable >> [*] Vulnerability discovered by : T.D. Dave& CWLS VSR Team >> [*] CWLS VSRT: http://cwlsalliance.roxer.com/ >> ________________________________________________________________________ >> >> ::Overview:: >> A critical new cloud-based attack vector has been discovered by the >> CWLS Alliance VSRT (Virtual Security Research Team). >> >> Using this new attack vector it is possible for an attacker to >> comprise multiple cloud-based platforms and script the execution of >> arbitrary code infecting all users of these system. This new attack >> vector is being exploited by dynamically-generated APT that current >> antivirus/malware solutions are not yet able to detect. >> >> ::Description:: >> A new attack vector against public-cloud platforms makes it is >> possible for an attacker to compromise data in multiple vendors' >> private-cloud solutions via swod-niw family APT infection. The most >> common scenario is that the attacker will first gain administrative >> privilege access to one or more running application instances on a >> public cloud using techniques detailed below. The attacker will then >> modify this running application to host swod-niw family APT malware on >> the public cloud application. The APT malware uses a combination of >> Web 2.0 hacking techniques like CSRF and click-jacking to make calls >> to and access private-cloud infrastucture's web interfaces via >> legitimate private-cloud user's web browsers. While impersonating the >> user privilege of the logged-in browser, the APT will access and mine >> all data accessible to the private-cloud user. Additional activities >> detected including taking actions within the private-cloud application >> on behalf of the user. >> >> The exploitable platforms are multi-vendor and widespread, and we fear >> that attacks such as this have already become common. Due to the >> difficulty in monitoring for these complex, multi-step attacks, often >> using requests types not commonly logged, it is unlikely the majority >> of Cross-Cloud Injection attacks are being detected today. >> >> ::Exploit details:: >> >> 1. Malware: The attacker first creates an image to be deployed to a >> public cloud. This image typically includes an operating system like >> Windows, or shareware like Linux. And a web server. It will also >> include malicious web application content usually in the form of PHP >> web pages and/or SWFs, to be used in the data mining operation phase >> of the attack. >> >> 2. Deployment: Next the attacker will upload the image, often >> virtualized, to a public cloud. This typically requires authentication >> but in all cases observed the attackers have already gained access to >> legitimate userIDs and passwords. When these components are deployed >> together on a public cloud this scenario is commonly referred to as >> "APT" (Advanced Persistent Threat) >> >> 3. Phase One: Public-Cloud user Attack -- The attacker will take their >> malware and integrate it into Web 2.0 applications like Facebook under >> the guise of a legitimate application. Then APT is often disguised as >> an online game using farming implements and leveraging monotonous >> clicking to maximize the amount of time the user leaves the >> application running. This, as we will see in turn, increases the >> attack window of exposure allowing for deeper data mining by the APT >> malware running in the user's browser. >> >> Once the APT is on the social network the attacker waits for users to >> access it with their web browser. Once a user executes the application >> the second phase of the attack begins. >> >> 4. Phase Two: Private-Cloud user attack -- The APT malware will now >> attempt to access applications within the user's virtual private >> cloud. This often takes the form of the APT leveraging benign seeming >> features within the online "game", allowing the APT to access the >> user's email address book locally or ACROSS both Public and Private >> Cloud email and contact systems. If the user allows the malware to >> continue executing it is possible to mine all contacts from both >> Public and Private cloud messaging systems and begin replicating it's >> attack across all users. >> >> Additional potential and likely threats from this APT execution include: >> + potential to mine all data from all systems accessible via a web >> browser with both idempotent and non-idempotent web requests >> + set APT Spy-Cookies and Geolocating Tracking-Cookies >> >> ::Remediation:: >> There are no known immediate remediation steps available. Mitigations >> steps include: >> + Only use secure web browsers >> + Only use trusted, secure web applications >> + Disable Javascript >> + Disable dangerous plugins in the browser >> + Disable or remove any insecure web browsers you have installed to >> avoid accidental use >> >> ::Reference:: >> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security >> Research Team responsible for discovering this new attack vector. >> Future updates can be tracked on the CWLS website using this unique >> identifier: CWLS Disclosure ID: CWLS20110104 >> >> APT (Advanced Persistent Threat): >> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat >> >> Cloud Computing: >> http://en.wikipedia.org/wiki/Cloud_computing >> >> Cloud Security: >> https://cloudsecurityalliance.org/ >> (note there is a gap in information regarding Cross-Cloud security) >> >> Code Injection: >> http://en.wikipedia.org/wiki/Code_injection >> >> CWLS Alliance: >> http://cwlsalliance.roxer.com/ >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Paul, I assume, that was a joke in the name of April the 1st. Sincerely yours, Captain Obvious 4/2/11 12:47 AM, Paul McMillan пишет: > This is bullshit with a bunch of buzzwords. > > The process boils down to: > > upload malware to the web > have users install malware as a facebook application > malware steals data available to facebook application > (or possibly, malware gets installed locally and does that thing malware does) > also, malware might set cookies. How terrible. > > I don't think this requires "cloud" anything. Either this is a real > threat that wasn't described at all, or it's someone puffing > themselves up with vulnerability reports. Also, a free drag-n-drop > project homepage? What's really going on here? > > -Paul > > On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate > <tddavethepirate@gmail.com> wrote: >> Cross Cloud Injection Vulnerability in multiple vendors leads to >> Persistent Remote Root >> ________________________________________________________________________ >> Global CWLS Alliance Virtual Security Research Team >> T.D. Dave >> Thu, 31 March 2011 22:22:15 UMT -0700 >> ________________________________________________________________________ >> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution >> [*] Vuln Class Name: Cross-Cloud Injection >> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection >> [*] Affected Platforms: Cloud, SaaS >> [*] Affected Vendor: Multi-Vendor >> [*] Threat: Requires Authentication, but Widely Deployed >> [*] Severity: High Risk >> [*] Ease of Exploitation:: Trivial (2-4 hours) >> [*]Release Date:: 3.31.2011 >> [*] Issue fixed in version : Currently Exploitable >> [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team >> [*] CWLS VSRT: http://cwlsalliance.roxer.com/ >> ________________________________________________________________________ >> >> ::Overview:: >> A critical new cloud-based attack vector has been discovered by the >> CWLS Alliance VSRT (Virtual Security Research Team). >> >> Using this new attack vector it is possible for an attacker to >> comprise multiple cloud-based platforms and script the execution of >> arbitrary code infecting all users of these system. This new attack >> vector is being exploited by dynamically-generated APT that current >> antivirus/malware solutions are not yet able to detect. >> >> ::Description:: >> A new attack vector against public-cloud platforms makes it is >> possible for an attacker to compromise data in multiple vendors' >> private-cloud solutions via swod-niw family APT infection. The most >> common scenario is that the attacker will first gain administrative >> privilege access to one or more running application instances on a >> public cloud using techniques detailed below. The attacker will then >> modify this running application to host swod-niw family APT malware on >> the public cloud application. The APT malware uses a combination of >> Web 2.0 hacking techniques like CSRF and click-jacking to make calls >> to and access private-cloud infrastucture's web interfaces via >> legitimate private-cloud user's web browsers. While impersonating the >> user privilege of the logged-in browser, the APT will access and mine >> all data accessible to the private-cloud user. Additional activities >> detected including taking actions within the private-cloud application >> on behalf of the user. >> >> The exploitable platforms are multi-vendor and widespread, and we fear >> that attacks such as this have already become common. Due to the >> difficulty in monitoring for these complex, multi-step attacks, often >> using requests types not commonly logged, it is unlikely the majority >> of Cross-Cloud Injection attacks are being detected today. >> >> ::Exploit details:: >> >> 1. Malware: The attacker first creates an image to be deployed to a >> public cloud. This image typically includes an operating system like >> Windows, or shareware like Linux. And a web server. It will also >> include malicious web application content usually in the form of PHP >> web pages and/or SWFs, to be used in the data mining operation phase >> of the attack. >> >> 2. Deployment: Next the attacker will upload the image, often >> virtualized, to a public cloud. This typically requires authentication >> but in all cases observed the attackers have already gained access to >> legitimate userIDs and passwords. When these components are deployed >> together on a public cloud this scenario is commonly referred to as >> "APT" (Advanced Persistent Threat) >> >> 3. Phase One: Public-Cloud user Attack -- The attacker will take their >> malware and integrate it into Web 2.0 applications like Facebook under >> the guise of a legitimate application. Then APT is often disguised as >> an online game using farming implements and leveraging monotonous >> clicking to maximize the amount of time the user leaves the >> application running. This, as we will see in turn, increases the >> attack window of exposure allowing for deeper data mining by the APT >> malware running in the user's browser. >> >> Once the APT is on the social network the attacker waits for users to >> access it with their web browser. Once a user executes the application >> the second phase of the attack begins. >> >> 4. Phase Two: Private-Cloud user attack -- The APT malware will now >> attempt to access applications within the user's virtual private >> cloud. This often takes the form of the APT leveraging benign seeming >> features within the online "game", allowing the APT to access the >> user's email address book locally or ACROSS both Public and Private >> Cloud email and contact systems. If the user allows the malware to >> continue executing it is possible to mine all contacts from both >> Public and Private cloud messaging systems and begin replicating it's >> attack across all users. >> >> Additional potential and likely threats from this APT execution include: >> + potential to mine all data from all systems accessible via a web >> browser with both idempotent and non-idempotent web requests >> + set APT Spy-Cookies and Geolocating Tracking-Cookies >> >> ::Remediation:: >> There are no known immediate remediation steps available. Mitigations >> steps include: >> + Only use secure web browsers >> + Only use trusted, secure web applications >> + Disable Javascript >> + Disable dangerous plugins in the browser >> + Disable or remove any insecure web browsers you have installed to >> avoid accidental use >> >> ::Reference:: >> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security >> Research Team responsible for discovering this new attack vector. >> Future updates can be tracked on the CWLS website using this unique >> identifier: CWLS Disclosure ID: CWLS20110104 >> >> APT (Advanced Persistent Threat): >> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat >> >> Cloud Computing: >> http://en.wikipedia.org/wiki/Cloud_computing >> >> Cloud Security: >> https://cloudsecurityalliance.org/ >> (note there is a gap in information regarding Cross-Cloud security) >> >> Code Injection: >> http://en.wikipedia.org/wiki/Code_injection >> >> CWLS Alliance: >> http://cwlsalliance.roxer.com/ >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

Paul, Do not be myopic, my friend. This is not just about the cloud. This is bigger than the cloud. We have persistent code execution stealing legitimate user data across cloud applications, and between them. Leading security software tools and vendors have done little to protect us, though I believe the Next Generation Firewalls are implementing features to address Cross Cloud Injection as we speak. This is the primary reason why the Cloud Web Large Server Alliance formed our Virtual Security Research Team: to do something about this problem. You can be part of the problem or part of the solution, Paul. Which is it going to be? --- T.D. Dave Senior Security Solutions Architecture Research Specialist CWLS Alliance, VSRT ps - thanks for the visiting our temporary website, we are still raising funds to build a formal website for the Alliance. If you would like to join as a member or sponsor this would help tremendously! On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <paul@mcmillan.ws> wrote: > This is bullshit with a bunch of buzzwords. > > The process boils down to: > > upload malware to the web > have users install malware as a facebook application > malware steals data available to facebook application > (or possibly, malware gets installed locally and does that thing malware > does) > also, malware might set cookies. How terrible. > > I don't think this requires "cloud" anything. Either this is a real > threat that wasn't described at all, or it's someone puffing > themselves up with vulnerability reports. Also, a free drag-n-drop > project homepage? What's really going on here? > > -Paul > > On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate > <tddavethepirate@gmail.com> wrote: > > Cross Cloud Injection Vulnerability in multiple vendors leads to > > Persistent Remote Root > > ________________________________________________________________________ > > Global CWLS Alliance Virtual Security Research Team > > T.D. Dave > > Thu, 31 March 2011 22:22:15 UMT -0700 > > ________________________________________________________________________ > > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution > > [*] Vuln Class Name: Cross-Cloud Injection > > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection > > [*] Affected Platforms: Cloud, SaaS > > [*] Affected Vendor: Multi-Vendor > > [*] Threat: Requires Authentication, but Widely Deployed > > [*] Severity: High Risk > > [*] Ease of Exploitation:: Trivial (2-4 hours) > > [*]Release Date:: 3.31.2011 > > [*] Issue fixed in version : Currently Exploitable > > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team > > [*] CWLS VSRT: http://cwlsalliance.roxer.com/ > > ________________________________________________________________________ > > > > ::Overview:: > > A critical new cloud-based attack vector has been discovered by the > > CWLS Alliance VSRT (Virtual Security Research Team). > > > > Using this new attack vector it is possible for an attacker to > > comprise multiple cloud-based platforms and script the execution of > > arbitrary code infecting all users of these system. This new attack > > vector is being exploited by dynamically-generated APT that current > > antivirus/malware solutions are not yet able to detect. > > > > ::Description:: > > A new attack vector against public-cloud platforms makes it is > > possible for an attacker to compromise data in multiple vendors' > > private-cloud solutions via swod-niw family APT infection. The most > > common scenario is that the attacker will first gain administrative > > privilege access to one or more running application instances on a > > public cloud using techniques detailed below. The attacker will then > > modify this running application to host swod-niw family APT malware on > > the public cloud application. The APT malware uses a combination of > > Web 2.0 hacking techniques like CSRF and click-jacking to make calls > > to and access private-cloud infrastucture's web interfaces via > > legitimate private-cloud user's web browsers. While impersonating the > > user privilege of the logged-in browser, the APT will access and mine > > all data accessible to the private-cloud user. Additional activities > > detected including taking actions within the private-cloud application > > on behalf of the user. > > > > The exploitable platforms are multi-vendor and widespread, and we fear > > that attacks such as this have already become common. Due to the > > difficulty in monitoring for these complex, multi-step attacks, often > > using requests types not commonly logged, it is unlikely the majority > > of Cross-Cloud Injection attacks are being detected today. > > > > ::Exploit details:: > > > > 1. Malware: The attacker first creates an image to be deployed to a > > public cloud. This image typically includes an operating system like > > Windows, or shareware like Linux. And a web server. It will also > > include malicious web application content usually in the form of PHP > > web pages and/or SWFs, to be used in the data mining operation phase > > of the attack. > > > > 2. Deployment: Next the attacker will upload the image, often > > virtualized, to a public cloud. This typically requires authentication > > but in all cases observed the attackers have already gained access to > > legitimate userIDs and passwords. When these components are deployed > > together on a public cloud this scenario is commonly referred to as > > "APT" (Advanced Persistent Threat) > > > > 3. Phase One: Public-Cloud user Attack -- The attacker will take their > > malware and integrate it into Web 2.0 applications like Facebook under > > the guise of a legitimate application. Then APT is often disguised as > > an online game using farming implements and leveraging monotonous > > clicking to maximize the amount of time the user leaves the > > application running. This, as we will see in turn, increases the > > attack window of exposure allowing for deeper data mining by the APT > > malware running in the user's browser. > > > > Once the APT is on the social network the attacker waits for users to > > access it with their web browser. Once a user executes the application > > the second phase of the attack begins. > > > > 4. Phase Two: Private-Cloud user attack -- The APT malware will now > > attempt to access applications within the user's virtual private > > cloud. This often takes the form of the APT leveraging benign seeming > > features within the online "game", allowing the APT to access the > > user's email address book locally or ACROSS both Public and Private > > Cloud email and contact systems. If the user allows the malware to > > continue executing it is possible to mine all contacts from both > > Public and Private cloud messaging systems and begin replicating it's > > attack across all users. > > > > Additional potential and likely threats from this APT execution include: > > + potential to mine all data from all systems accessible via a web > > browser with both idempotent and non-idempotent web requests > > + set APT Spy-Cookies and Geolocating Tracking-Cookies > > > > ::Remediation:: > > There are no known immediate remediation steps available. Mitigations > > steps include: > > + Only use secure web browsers > > + Only use trusted, secure web applications > > + Disable Javascript > > + Disable dangerous plugins in the browser > > + Disable or remove any insecure web browsers you have installed to > > avoid accidental use > > > > ::Reference:: > > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security > > Research Team responsible for discovering this new attack vector. > > Future updates can be tracked on the CWLS website using this unique > > identifier: CWLS Disclosure ID: CWLS20110104 > > > > APT (Advanced Persistent Threat): > > http://en.wikipedia.org/wiki/Advanced_Persistent_Threat > > > > Cloud Computing: > > http://en.wikipedia.org/wiki/Cloud_computing > > > > Cloud Security: > > https://cloudsecurityalliance.org/ > > (note there is a gap in information regarding Cross-Cloud security) > > > > Code Injection: > > http://en.wikipedia.org/wiki/Code_injection > > > > CWLS Alliance: > > http://cwlsalliance.roxer.com/ > > > > _______________________________________________ > > The Web Security Mailing List > > > > WebSecurity RSS Feed > > http://www.webappsec.org/rss/websecurity.rss > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > WASC on Twitter > > http://twitter.com/wascupdates > > > > websecurity@lists.webappsec.org > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > >

I think the biggest problem is people throwing out buzzwords like APT and Cloud and Web 2.0 just to sell stuff. And when it comes to security it's even worse because buzzwords make old threats sound new, everybody freaks out and starts asking for (non-)solutions and the situation starts pilling up. APT basically means nothing, 'cloud' computing existed long before I was born (mainframes and thin terminals and the like) and there is no Web 2.0. And now an APT dubbed Cross Cloud Injection? This is an exercise in recursive meaninglessness. I'll agree with Paul on this one despite his overly enthusiastic candor. On 04/01/2011 11:30 PM, robert@webappsec.org wrote: >> Do not be myopic, my friend. This is not just about the cloud. >> This is bigger than the cloud. >> >> We have persistent code execution stealing legitimate user data >> across cloud applications, and between them. Leading security >> software tools and vendors have done little to protect us, though >> I believe the Next Generation Firewalls are implementing features >> to address Cross Cloud Injection as we speak. >> >> This is the primary reason why the Cloud Web Large Server >> Alliance formed our Virtual Security Research Team: >> >> to do something about this problem. >> >> You can be part of the problem or part of the solution, Paul. >> >> Which is it going to be? > > If he's like 98% of all people in the security 'scene', just part of the problem. > > :) > > Regards, > - Robert > WASC Co Founder/Moderator of The Web security Mailing List > http://www.webappsec.org/ > http://www.qasec.com/ > http://www.cgisecurity.com/ > > >> >> --- >> T.D. Dave >> Senior Security Solutions Architecture Research Specialist >> CWLS Alliance, VSRT >> >> ps - thanks for the visiting our temporary website, we are still >> raising funds to build a formal website for the Alliance. If you >> would like to join as a member or sponsor this would help tremendously! >> >> >> >> >> On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan<paul@mcmillan.ws> wrote: >> >>> This is bullshit with a bunch of buzzwords. >>> >>> The process boils down to: >>> >>> upload malware to the web >>> have users install malware as a facebook application >>> malware steals data available to facebook application >>> (or possibly, malware gets installed locally and does that thing malware >>> does) >>> also, malware might set cookies. How terrible. >>> >>> I don't think this requires "cloud" anything. Either this is a real >>> threat that wasn't described at all, or it's someone puffing >>> themselves up with vulnerability reports. Also, a free drag-n-drop >>> project homepage? What's really going on here? >>> >>> -Paul >>> >>> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate >>> <tddavethepirate@gmail.com> wrote: >>>> Cross Cloud Injection Vulnerability in multiple vendors leads to >>>> Persistent Remote Root >>>> ________________________________________________________________________ >>>> Global CWLS Alliance Virtual Security Research Team >>>> T.D. Dave >>>> Thu, 31 March 2011 22:22:15 UMT -0700 >>>> ________________________________________________________________________ >>>> [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution >>>> [*] Vuln Class Name: Cross-Cloud Injection >>>> [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection >>>> [*] Affected Platforms: Cloud, SaaS >>>> [*] Affected Vendor: Multi-Vendor >>>> [*] Threat: Requires Authentication, but Widely Deployed >>>> [*] Severity: High Risk >>>> [*] Ease of Exploitation:: Trivial (2-4 hours) >>>> [*]Release Date:: 3.31.2011 >>>> [*] Issue fixed in version : Currently Exploitable >>>> [*] Vulnerability discovered by : T.D. Dave& CWLS VSR Team >>>> [*] CWLS VSRT: http://cwlsalliance.roxer.com/ >>>> ________________________________________________________________________ >>>> >>>> ::Overview:: >>>> A critical new cloud-based attack vector has been discovered by the >>>> CWLS Alliance VSRT (Virtual Security Research Team). >>>> >>>> Using this new attack vector it is possible for an attacker to >>>> comprise multiple cloud-based platforms and script the execution of >>>> arbitrary code infecting all users of these system. This new attack >>>> vector is being exploited by dynamically-generated APT that current >>>> antivirus/malware solutions are not yet able to detect. >>>> >>>> ::Description:: >>>> A new attack vector against public-cloud platforms makes it is >>>> possible for an attacker to compromise data in multiple vendors' >>>> private-cloud solutions via swod-niw family APT infection. The most >>>> common scenario is that the attacker will first gain administrative >>>> privilege access to one or more running application instances on a >>>> public cloud using techniques detailed below. The attacker will then >>>> modify this running application to host swod-niw family APT malware on >>>> the public cloud application. The APT malware uses a combination of >>>> Web 2.0 hacking techniques like CSRF and click-jacking to make calls >>>> to and access private-cloud infrastucture's web interfaces via >>>> legitimate private-cloud user's web browsers. While impersonating the >>>> user privilege of the logged-in browser, the APT will access and mine >>>> all data accessible to the private-cloud user. Additional activities >>>> detected including taking actions within the private-cloud application >>>> on behalf of the user. >>>> >>>> The exploitable platforms are multi-vendor and widespread, and we fear >>>> that attacks such as this have already become common. Due to the >>>> difficulty in monitoring for these complex, multi-step attacks, often >>>> using requests types not commonly logged, it is unlikely the majority >>>> of Cross-Cloud Injection attacks are being detected today. >>>> >>>> ::Exploit details:: >>>> >>>> 1. Malware: The attacker first creates an image to be deployed to a >>>> public cloud. This image typically includes an operating system like >>>> Windows, or shareware like Linux. And a web server. It will also >>>> include malicious web application content usually in the form of PHP >>>> web pages and/or SWFs, to be used in the data mining operation phase >>>> of the attack. >>>> >>>> 2. Deployment: Next the attacker will upload the image, often >>>> virtualized, to a public cloud. This typically requires authentication >>>> but in all cases observed the attackers have already gained access to >>>> legitimate userIDs and passwords. When these components are deployed >>>> together on a public cloud this scenario is commonly referred to as >>>> "APT" (Advanced Persistent Threat) >>>> >>>> 3. Phase One: Public-Cloud user Attack -- The attacker will take their >>>> malware and integrate it into Web 2.0 applications like Facebook under >>>> the guise of a legitimate application. Then APT is often disguised as >>>> an online game using farming implements and leveraging monotonous >>>> clicking to maximize the amount of time the user leaves the >>>> application running. This, as we will see in turn, increases the >>>> attack window of exposure allowing for deeper data mining by the APT >>>> malware running in the user's browser. >>>> >>>> Once the APT is on the social network the attacker waits for users to >>>> access it with their web browser. Once a user executes the application >>>> the second phase of the attack begins. >>>> >>>> 4. Phase Two: Private-Cloud user attack -- The APT malware will now >>>> attempt to access applications within the user's virtual private >>>> cloud. This often takes the form of the APT leveraging benign seeming >>>> features within the online "game", allowing the APT to access the >>>> user's email address book locally or ACROSS both Public and Private >>>> Cloud email and contact systems. If the user allows the malware to >>>> continue executing it is possible to mine all contacts from both >>>> Public and Private cloud messaging systems and begin replicating it's >>>> attack across all users. >>>> >>>> Additional potential and likely threats from this APT execution include: >>>> + potential to mine all data from all systems accessible via a web >>>> browser with both idempotent and non-idempotent web requests >>>> + set APT Spy-Cookies and Geolocating Tracking-Cookies >>>> >>>> ::Remediation:: >>>> There are no known immediate remediation steps available. Mitigations >>>> steps include: >>>> + Only use secure web browsers >>>> + Only use trusted, secure web applications >>>> + Disable Javascript >>>> + Disable dangerous plugins in the browser >>>> + Disable or remove any insecure web browsers you have installed to >>>> avoid accidental use >>>> >>>> ::Reference:: >>>> The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security >>>> Research Team responsible for discovering this new attack vector. >>>> Future updates can be tracked on the CWLS website using this unique >>>> identifier: CWLS Disclosure ID: CWLS20110104 >>>> >>>> APT (Advanced Persistent Threat): >>>> http://en.wikipedia.org/wiki/Advanced_Persistent_Threat >>>> >>>> Cloud Computing: >>>> http://en.wikipedia.org/wiki/Cloud_computing >>>> >>>> Cloud Security: >>>> https://cloudsecurityalliance.org/ >>>> (note there is a gap in information regarding Cross-Cloud security) >>>> >>>> Code Injection: >>>> http://en.wikipedia.org/wiki/Code_injection >>>> >>>> CWLS Alliance: >>>> http://cwlsalliance.roxer.com/ >>>> >>>> _______________________________________________ >>>> The Web Security Mailing List >>>> >>>> WebSecurity RSS Feed >>>> http://www.webappsec.org/rss/websecurity.rss >>>> >>>> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >>>> >>>> WASC on Twitter >>>> http://twitter.com/wascupdates >>>> >>>> websecurity@lists.webappsec.org >>>> >>> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >>>> >>> >> >> --001636e0b63452a3bd049fe21c8c >> Content-Type: text/html; charset=ISO-8859-1 >> Content-Transfer-Encoding: quoted-printable >> >> Paul,<div><br></div><div>Do not be myopic, my friend. This is not just abou= >> t the cloud.</div><div>This is bigger than the cloud.</div><div><br></div><= >> div>We have persistent code execution=A0stealing legitimate user data</div> >> <div>across cloud applications, and between them. Leading security</div><di= >> v>software tools and=A0vendors have done little to protect us, though</div>= >> <div>I believe the Next Generation Firewalls are implementing features</div= >>> >> <div>to address Cross Cloud Injection as we speak.</div><div><br></div><div= >>> This is the primary reason why the Cloud Web=A0Large Server</div><div>Alli= >> ance formed our Virtual Security Research Team:</div><div><br></div><div> >> to do something about this problem.</div><div><br></div><div>You can be par= >> t of the problem or part of the solution, Paul.</div><div><br></div><div>Wh= >> ich=A0is it going to be?</div><div><br></div><div>---</div><div>T.D. Dave</= >> div> >> <div>Senior Security Solutions Architecture Research Specialist</div><div>C= >> WLS Alliance, VSRT</div><div><br></div><div>ps - thanks for the visiting ou= >> r temporary website, we are still</div><div>raising funds to build a formal= >> website for the Alliance. If you</div> >> <div>would like to join as a member or sponsor this would help tremendously= >> !</div><div><br></div><div><br></div><div><br></div><div><br><div class=3D"= >> gmail_quote">On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan<span dir=3D"ltr= >> ">&lt;<a href=3D"mailto:paul@mcmillan.ws">paul@mcmillan.ws</a>&gt;</span> w= >> rote:<br> >> <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= >> x #ccc solid;padding-left:1ex;">This is bullshit with a bunch of buzzwords.= >> <br> >> <br> >> The process boils down to:<br> >> <br> >> upload malware to the web<br> >> have users install malware as a facebook application<br> >> malware steals data available to facebook application<br> >> (or possibly, malware gets installed locally and does that thing malware do= >> es)<br> >> also, malware might set cookies. How terrible.<br> >> <br> >> I don&#39;t think this requires&quot;cloud&quot; anything. Either this is = >> a real<br> >> threat that wasn&#39;t described at all, or it&#39;s someone puffing<br> >> themselves up with vulnerability reports. Also, a free drag-n-drop<br> >> project homepage? What&#39;s really going on here?<br> >> <font color=3D"#888888"><br> >> -Paul<br> >> </font><div><div></div><div class=3D"h5"><br> >> On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate<br> >> &lt;<a href=3D"mailto:tddavethepirate@gmail.com">tddavethepirate@gmail.com<= >> /a>&gt; wrote:<br> >> &gt; Cross Cloud Injection Vulnerability in multiple vendors leads to<br> >> &gt; Persistent Remote Root<br> >> &gt; ______________________________________________________________________= >> __<br> >> &gt; Global CWLS Alliance Virtual Security Research Team<br> >> &gt; T.D. Dave<br> >> &gt; Thu, 31 March 2011 22:22:15 UMT -0700<br> >> &gt; ______________________________________________________________________= >> __<br> >> &gt; [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution<br> >> &gt; [*] Vuln Class Name: Cross-Cloud Injection<br> >> &gt; [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection<br> >> &gt; [*] Affected Platforms: Cloud, SaaS<br> >> &gt; [*] Affected Vendor: Multi-Vendor<br> >> &gt; [*] Threat: Requires Authentication, but Widely Deployed<br> >> &gt; [*] Severity: High Risk<br> >> &gt; [*] Ease of Exploitation:: Trivial (2-4 hours)<br> >> &gt; [*]Release Date:: =A03.31.2011<br> >> &gt; [*] Issue fixed in version : Currently Exploitable<br> >> &gt; [*] Vulnerability discovered by : T.D. Dave&amp; CWLS VSR Team<br> >> &gt; [*] CWLS VSRT:<a href=3D"http://cwlsalliance.roxer.com/" target=3D"_b= >> lank">http://cwlsalliance.roxer.com/</a><br> >> &gt; ______________________________________________________________________= >> __<br> >> &gt;<br> >> &gt; ::Overview::<br> >> &gt; A critical new cloud-based attack vector has been discovered by the<br= >>> >> &gt; CWLS Alliance VSRT (Virtual Security Research Team).<br> >> &gt;<br> >> &gt; Using this new attack vector it is possible for an attacker to<br> >> &gt; comprise multiple cloud-based platforms and script the execution of<br= >>> >> &gt; arbitrary code infecting all users of these system. This new attack<br= >>> >> &gt; vector is being exploited by dynamically-generated APT that current<br= >>> >> &gt; antivirus/malware solutions are not yet able to detect.<br> >> &gt;<br> >> &gt; ::Description::<br> >> &gt; A new attack vector against public-cloud platforms makes it is<br> >> &gt; possible for an attacker to compromise data in multiple vendors&#39;<b= >> r> >> &gt; private-cloud solutions via swod-niw family APT infection. The most<br= >>> >> &gt; common scenario is that the attacker will first gain administrative<br= >>> >> &gt; privilege access to one or more running application instances on a<br> >> &gt; public cloud using techniques detailed below. The attacker will then<b= >> r> >> &gt; modify this running application to host swod-niw family APT malware on= >> <br> >> &gt; the public cloud application. The APT malware uses a combination of<br= >>> >> &gt; Web 2.0 hacking techniques like CSRF and click-jacking to make calls<b= >> r> >> &gt; to and access private-cloud infrastucture&#39;s web interfaces via<br> >> &gt; legitimate private-cloud user&#39;s web browsers. While impersonating = >> the<br> >> &gt; user privilege of the logged-in browser, the APT will access and mine<= >> br> >> &gt; all data accessible to the private-cloud user. Additional activities<b= >> r> >> &gt; detected including taking actions within the private-cloud application= >> <br> >> &gt; on behalf of the user.<br> >> &gt;<br> >> &gt; The exploitable platforms are multi-vendor and widespread, and we fear= >> <br> >> &gt; that attacks such as this have already become common. Due to the<br> >> &gt; difficulty in monitoring for these complex, multi-step attacks, often<= >> br> >> &gt; using requests types not commonly logged, it is unlikely the majority<= >> br> >> &gt; of Cross-Cloud Injection attacks are being detected today.<br> >> &gt;<br> >> &gt; ::Exploit details::<br> >> &gt;<br> >> &gt; 1. Malware: The attacker first creates an image to be deployed to a<br= >>> >> &gt; public cloud. This image typically includes an operating system like<b= >> r> >> &gt; Windows, or shareware like Linux. And a web server. It will also<br> >> &gt; include malicious web application content usually in the form of PHP<b= >> r> >> &gt; web pages and/or SWFs, to be used in the data mining operation phase<b= >> r> >> &gt; of the attack.<br> >> &gt;<br> >> &gt; 2. Deployment: Next the attacker will upload the image, often<br> >> &gt; virtualized, to a public cloud. This typically requires authentication= >> <br> >> &gt; but in all cases observed the attackers have already gained access to<= >> br> >> &gt; legitimate userIDs and passwords. When these components are deployed<b= >> r> >> &gt; together on a public cloud this scenario is commonly referred to as<br= >>> >> &gt;&quot;APT&quot; (Advanced Persistent Threat)<br> >> &gt;<br> >> &gt; 3. Phase One: Public-Cloud user Attack -- The attacker will take their= >> <br> >> &gt; malware and integrate it into Web 2.0 applications like Facebook under= >> <br> >> &gt; the guise of a legitimate application. Then APT is often disguised as<= >> br> >> &gt; an online game using farming implements and leveraging monotonous<br> >> &gt; clicking to maximize the amount of time the user leaves the<br> >> &gt; application running. This, as we will see in turn, increases the<br> >> &gt; attack window of exposure allowing for deeper data mining by the APT<b= >> r> >> &gt; malware running in the user&#39;s browser.<br> >> &gt;<br> >> &gt; Once the APT is on the social network the attacker waits for users to<= >> br> >> &gt; access it with their web browser. Once a user executes the application= >> <br> >> &gt; the second phase of the attack begins.<br> >> &gt;<br> >> &gt; 4. Phase Two: Private-Cloud user attack -- The APT malware will now<br= >>> >> &gt; attempt to access applications within the user&#39;s virtual private<b= >> r> >> &gt; cloud. This often takes the form of the APT leveraging benign seeming<= >> br> >> &gt; features within the online&quot;game&quot;, allowing the APT to acces= >> s the<br> >> &gt; user&#39;s email address book locally or ACROSS both Public and Privat= >> e<br> >> &gt; Cloud email and contact systems. If the user allows the malware to<br> >> &gt; continue executing it is possible to mine all contacts from both<br> >> &gt; Public and Private cloud messaging systems and begin replicating it&#3= >> 9;s<br> >> &gt; attack across all users.<br> >> &gt;<br> >> &gt; Additional potential and likely threats from this APT execution includ= >> e:<br> >> &gt; + potential to mine all data from all systems accessible via a web<br> >> &gt; browser with both idempotent and non-idempotent web requests<br> >> &gt; + set APT Spy-Cookies and Geolocating Tracking-Cookies<br> >> &gt;<br> >> &gt; ::Remediation::<br> >> &gt; There are no known immediate remediation steps available. Mitigations<= >> br> >> &gt; steps include:<br> >> &gt; + Only use secure web browsers<br> >> &gt; + Only use trusted, secure web applications<br> >> &gt; + Disable Javascript<br> >> &gt; + Disable dangerous plugins in the browser<br> >> &gt; + Disable or remove any insecure web browsers you have installed to<br= >>> >> &gt; avoid accidental use<br> >> &gt;<br> >> &gt; ::Reference::<br> >> &gt; The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security= >> <br> >> &gt; Research Team responsible for discovering this new attack vector.<br> >> &gt; Future updates can be tracked on the CWLS website using this unique<br= >>> >> &gt; identifier: CWLS Disclosure ID: CWLS20110104<br> >> &gt;<br> >> &gt; APT (Advanced Persistent Threat):<br> >> &gt;<a href=3D"http://en.wikipedia.org/wiki/Advanced_Persistent_Threat" ta= >> rget=3D"_blank">http://en.wikipedia.org/wiki/Advanced_Persistent_Threat</a>= >> <br> >> &gt;<br> >> &gt; Cloud Computing:<br> >> &gt;<a href=3D"http://en.wikipedia.org/wiki/Cloud_computing" target=3D"_bl= >> ank">http://en.wikipedia.org/wiki/Cloud_computing</a><br> >> &gt;<br> >> &gt; Cloud Security:<br> >> &gt;<a href=3D"https://cloudsecurityalliance.org/" target=3D"_blank">https= >> ://cloudsecurityalliance.org/</a><br> >> &gt; (note there is a gap in information regarding Cross-Cloud security)<br= >>> >> &gt;<br> >> &gt; Code Injection:<br> >> &gt;<a href=3D"http://en.wikipedia.org/wiki/Code_injection" target=3D"_bla= >> nk">http://en.wikipedia.org/wiki/Code_injection</a><br> >> &gt;<br> >> &gt; CWLS Alliance:<br> >> &gt;<a href=3D"http://cwlsalliance.roxer.com/" target=3D"_blank">http://cw= >> lsalliance.roxer.com/</a><br> >> &gt;<br> >> </div></div><div><div></div><div class=3D"h5">&gt; ________________________= >> _______________________<br> >> &gt; The Web Security Mailing List<br> >> &gt;<br> >> &gt; WebSecurity RSS Feed<br> >> &gt;<a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_bl= >> ank">http://www.webappsec.org/rss/websecurity.rss</a><br> >> &gt;<br> >> &gt; Join WASC on LinkedIn<a href=3D"http://www.linkedin.com/e/gis/83336/4= >> B20E4374DBA" target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E437= >> 4DBA</a><br> >> &gt;<br> >> &gt; WASC on Twitter<br> >> &gt;<a href=3D"http://twitter.com/wascupdates" target=3D"_blank">http://tw= >> itter.com/wascupdates</a><br> >> &gt;<br> >> &gt;<a href=3D"mailto:websecurity@lists.webappsec.org">websecurity@lists.w= >> ebappsec.org</a><br> >> &gt;<a href=3D"http://lists.webappsec.org/mailman/listinfo/websecurity_lis= >> ts.webappsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/list= >> info/websecurity_lists.webappsec.org</a><br> >> &gt;<br> >> </div></div></blockquote></div><br></div> >> >> --001636e0b63452a3bd049fe21c8c-- >> >> >> --===============0787354708290838694== >> Content-Type: text/plain; charset="us-ascii" >> MIME-Version: 1.0 >> Content-Transfer-Encoding: 7bit >> Content-Disposition: inline >> >> _______________________________________________ >> The Web Security Mailing List >> >> WebSecurity RSS Feed >> http://www.webappsec.org/rss/websecurity.rss >> >> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA >> >> WASC on Twitter >> http://twitter.com/wascupdates >> >> websecurity@lists.webappsec.org >> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >> >> --===============0787354708290838694==-- >> > > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org >

> Do not be myopic, my friend. This is not just about the cloud. > This is bigger than the cloud. > > We have persistent code execution stealing legitimate user data > across cloud applications, and between them. Leading security > software tools and vendors have done little to protect us, though > I believe the Next Generation Firewalls are implementing features > to address Cross Cloud Injection as we speak. > > This is the primary reason why the Cloud Web Large Server > Alliance formed our Virtual Security Research Team: > > to do something about this problem. > > You can be part of the problem or part of the solution, Paul. > > Which is it going to be? If he's like 98% of all people in the security 'scene', just part of the problem. :) Regards, - Robert WASC Co Founder/Moderator of The Web security Mailing List http://www.webappsec.org/ http://www.qasec.com/ http://www.cgisecurity.com/ > > --- > T.D. Dave > Senior Security Solutions Architecture Research Specialist > CWLS Alliance, VSRT > > ps - thanks for the visiting our temporary website, we are still > raising funds to build a formal website for the Alliance. If you > would like to join as a member or sponsor this would help tremendously! > > > > > On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <paul@mcmillan.ws> wrote: > > > This is bullshit with a bunch of buzzwords. > > > > The process boils down to: > > > > upload malware to the web > > have users install malware as a facebook application > > malware steals data available to facebook application > > (or possibly, malware gets installed locally and does that thing malware > > does) > > also, malware might set cookies. How terrible. > > > > I don't think this requires "cloud" anything. Either this is a real > > threat that wasn't described at all, or it's someone puffing > > themselves up with vulnerability reports. Also, a free drag-n-drop > > project homepage? What's really going on here? > > > > -Paul > > > > On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate > > <tddavethepirate@gmail.com> wrote: > > > Cross Cloud Injection Vulnerability in multiple vendors leads to > > > Persistent Remote Root > > > ________________________________________________________________________ > > > Global CWLS Alliance Virtual Security Research Team > > > T.D. Dave > > > Thu, 31 March 2011 22:22:15 UMT -0700 > > > ________________________________________________________________________ > > > [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution > > > [*] Vuln Class Name: Cross-Cloud Injection > > > [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection > > > [*] Affected Platforms: Cloud, SaaS > > > [*] Affected Vendor: Multi-Vendor > > > [*] Threat: Requires Authentication, but Widely Deployed > > > [*] Severity: High Risk > > > [*] Ease of Exploitation:: Trivial (2-4 hours) > > > [*]Release Date:: 3.31.2011 > > > [*] Issue fixed in version : Currently Exploitable > > > [*] Vulnerability discovered by : T.D. Dave & CWLS VSR Team > > > [*] CWLS VSRT: http://cwlsalliance.roxer.com/ > > > ________________________________________________________________________ > > > > > > ::Overview:: > > > A critical new cloud-based attack vector has been discovered by the > > > CWLS Alliance VSRT (Virtual Security Research Team). > > > > > > Using this new attack vector it is possible for an attacker to > > > comprise multiple cloud-based platforms and script the execution of > > > arbitrary code infecting all users of these system. This new attack > > > vector is being exploited by dynamically-generated APT that current > > > antivirus/malware solutions are not yet able to detect. > > > > > > ::Description:: > > > A new attack vector against public-cloud platforms makes it is > > > possible for an attacker to compromise data in multiple vendors' > > > private-cloud solutions via swod-niw family APT infection. The most > > > common scenario is that the attacker will first gain administrative > > > privilege access to one or more running application instances on a > > > public cloud using techniques detailed below. The attacker will then > > > modify this running application to host swod-niw family APT malware on > > > the public cloud application. The APT malware uses a combination of > > > Web 2.0 hacking techniques like CSRF and click-jacking to make calls > > > to and access private-cloud infrastucture's web interfaces via > > > legitimate private-cloud user's web browsers. While impersonating the > > > user privilege of the logged-in browser, the APT will access and mine > > > all data accessible to the private-cloud user. Additional activities > > > detected including taking actions within the private-cloud application > > > on behalf of the user. > > > > > > The exploitable platforms are multi-vendor and widespread, and we fear > > > that attacks such as this have already become common. Due to the > > > difficulty in monitoring for these complex, multi-step attacks, often > > > using requests types not commonly logged, it is unlikely the majority > > > of Cross-Cloud Injection attacks are being detected today. > > > > > > ::Exploit details:: > > > > > > 1. Malware: The attacker first creates an image to be deployed to a > > > public cloud. This image typically includes an operating system like > > > Windows, or shareware like Linux. And a web server. It will also > > > include malicious web application content usually in the form of PHP > > > web pages and/or SWFs, to be used in the data mining operation phase > > > of the attack. > > > > > > 2. Deployment: Next the attacker will upload the image, often > > > virtualized, to a public cloud. This typically requires authentication > > > but in all cases observed the attackers have already gained access to > > > legitimate userIDs and passwords. When these components are deployed > > > together on a public cloud this scenario is commonly referred to as > > > "APT" (Advanced Persistent Threat) > > > > > > 3. Phase One: Public-Cloud user Attack -- The attacker will take their > > > malware and integrate it into Web 2.0 applications like Facebook under > > > the guise of a legitimate application. Then APT is often disguised as > > > an online game using farming implements and leveraging monotonous > > > clicking to maximize the amount of time the user leaves the > > > application running. This, as we will see in turn, increases the > > > attack window of exposure allowing for deeper data mining by the APT > > > malware running in the user's browser. > > > > > > Once the APT is on the social network the attacker waits for users to > > > access it with their web browser. Once a user executes the application > > > the second phase of the attack begins. > > > > > > 4. Phase Two: Private-Cloud user attack -- The APT malware will now > > > attempt to access applications within the user's virtual private > > > cloud. This often takes the form of the APT leveraging benign seeming > > > features within the online "game", allowing the APT to access the > > > user's email address book locally or ACROSS both Public and Private > > > Cloud email and contact systems. If the user allows the malware to > > > continue executing it is possible to mine all contacts from both > > > Public and Private cloud messaging systems and begin replicating it's > > > attack across all users. > > > > > > Additional potential and likely threats from this APT execution include: > > > + potential to mine all data from all systems accessible via a web > > > browser with both idempotent and non-idempotent web requests > > > + set APT Spy-Cookies and Geolocating Tracking-Cookies > > > > > > ::Remediation:: > > > There are no known immediate remediation steps available. Mitigations > > > steps include: > > > + Only use secure web browsers > > > + Only use trusted, secure web applications > > > + Disable Javascript > > > + Disable dangerous plugins in the browser > > > + Disable or remove any insecure web browsers you have installed to > > > avoid accidental use > > > > > > ::Reference:: > > > The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security > > > Research Team responsible for discovering this new attack vector. > > > Future updates can be tracked on the CWLS website using this unique > > > identifier: CWLS Disclosure ID: CWLS20110104 > > > > > > APT (Advanced Persistent Threat): > > > http://en.wikipedia.org/wiki/Advanced_Persistent_Threat > > > > > > Cloud Computing: > > > http://en.wikipedia.org/wiki/Cloud_computing > > > > > > Cloud Security: > > > https://cloudsecurityalliance.org/ > > > (note there is a gap in information regarding Cross-Cloud security) > > > > > > Code Injection: > > > http://en.wikipedia.org/wiki/Code_injection > > > > > > CWLS Alliance: > > > http://cwlsalliance.roxer.com/ > > > > > > _______________________________________________ > > > The Web Security Mailing List > > > > > > WebSecurity RSS Feed > > > http://www.webappsec.org/rss/websecurity.rss > > > > > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > > > > > WASC on Twitter > > > http://twitter.com/wascupdates > > > > > > websecurity@lists.webappsec.org > > > > > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > > > > > > --001636e0b63452a3bd049fe21c8c > Content-Type: text/html; charset=ISO-8859-1 > Content-Transfer-Encoding: quoted-printable > > Paul,<div><br></div><div>Do not be myopic, my friend. This is not just abou= > t the cloud.</div><div>This is bigger than the cloud.</div><div><br></div><= > div>We have persistent code execution=A0stealing legitimate user data</div> > <div>across cloud applications, and between them. Leading security</div><di= > v>software tools and=A0vendors have done little to protect us, though</div>= > <div>I believe the Next Generation Firewalls are implementing features</div= > > > <div>to address Cross Cloud Injection as we speak.</div><div><br></div><div= > >This is the primary reason why the Cloud Web=A0Large Server</div><div>Alli= > ance formed our Virtual Security Research Team:</div><div><br></div><div> > to do something about this problem.</div><div><br></div><div>You can be par= > t of the problem or part of the solution, Paul.</div><div><br></div><div>Wh= > ich=A0is it going to be?</div><div><br></div><div>---</div><div>T.D. Dave</= > div> > <div>Senior Security Solutions Architecture Research Specialist</div><div>C= > WLS Alliance, VSRT</div><div><br></div><div>ps - thanks for the visiting ou= > r temporary website, we are still</div><div>raising funds to build a formal= > website for the Alliance. If you</div> > <div>would like to join as a member or sponsor this would help tremendously= > !</div><div><br></div><div><br></div><div><br></div><div><br><div class=3D"= > gmail_quote">On Fri, Apr 1, 2011 at 1:47 PM, Paul McMillan <span dir=3D"ltr= > ">&lt;<a href=3D"mailto:paul@mcmillan.ws">paul@mcmillan.ws</a>&gt;</span> w= > rote:<br> > <blockquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1p= > x #ccc solid;padding-left:1ex;">This is bullshit with a bunch of buzzwords.= > <br> > <br> > The process boils down to:<br> > <br> > upload malware to the web<br> > have users install malware as a facebook application<br> > malware steals data available to facebook application<br> > (or possibly, malware gets installed locally and does that thing malware do= > es)<br> > also, malware might set cookies. How terrible.<br> > <br> > I don&#39;t think this requires &quot;cloud&quot; anything. Either this is = > a real<br> > threat that wasn&#39;t described at all, or it&#39;s someone puffing<br> > themselves up with vulnerability reports. Also, a free drag-n-drop<br> > project homepage? What&#39;s really going on here?<br> > <font color=3D"#888888"><br> > -Paul<br> > </font><div><div></div><div class=3D"h5"><br> > On Fri, Apr 1, 2011 at 2:34 AM, TD Dave ThePirate<br> > &lt;<a href=3D"mailto:tddavethepirate@gmail.com">tddavethepirate@gmail.com<= > /a>&gt; wrote:<br> > &gt; Cross Cloud Injection Vulnerability in multiple vendors leads to<br> > &gt; Persistent Remote Root<br> > &gt; ______________________________________________________________________= > __<br> > &gt; Global CWLS Alliance Virtual Security Research Team<br> > &gt; T.D. Dave<br> > &gt; Thu, 31 March 2011 22:22:15 UMT -0700<br> > &gt; ______________________________________________________________________= > __<br> > &gt; [*] Vulnerability Type: APT, Remote Root, Arbitrary Code Execution<br> > &gt; [*] Vuln Class Name: Cross-Cloud Injection<br> > &gt; [*] Synopsis: Cross-Cloud Platform Arbitrary Code Injection<br> > &gt; [*] Affected Platforms: Cloud, SaaS<br> > &gt; [*] Affected Vendor: Multi-Vendor<br> > &gt; [*] Threat: Requires Authentication, but Widely Deployed<br> > &gt; [*] Severity: High Risk<br> > &gt; [*] Ease of Exploitation:: Trivial (2-4 hours)<br> > &gt; [*]Release Date:: =A03.31.2011<br> > &gt; [*] Issue fixed in version : Currently Exploitable<br> > &gt; [*] Vulnerability discovered by : T.D. Dave &amp; CWLS VSR Team<br> > &gt; [*] CWLS VSRT: <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_b= > lank">http://cwlsalliance.roxer.com/</a><br> > &gt; ______________________________________________________________________= > __<br> > &gt;<br> > &gt; ::Overview::<br> > &gt; A critical new cloud-based attack vector has been discovered by the<br= > > > &gt; CWLS Alliance VSRT (Virtual Security Research Team).<br> > &gt;<br> > &gt; Using this new attack vector it is possible for an attacker to<br> > &gt; comprise multiple cloud-based platforms and script the execution of<br= > > > &gt; arbitrary code infecting all users of these system. This new attack<br= > > > &gt; vector is being exploited by dynamically-generated APT that current<br= > > > &gt; antivirus/malware solutions are not yet able to detect.<br> > &gt;<br> > &gt; ::Description::<br> > &gt; A new attack vector against public-cloud platforms makes it is<br> > &gt; possible for an attacker to compromise data in multiple vendors&#39;<b= > r> > &gt; private-cloud solutions via swod-niw family APT infection. The most<br= > > > &gt; common scenario is that the attacker will first gain administrative<br= > > > &gt; privilege access to one or more running application instances on a<br> > &gt; public cloud using techniques detailed below. The attacker will then<b= > r> > &gt; modify this running application to host swod-niw family APT malware on= > <br> > &gt; the public cloud application. The APT malware uses a combination of<br= > > > &gt; Web 2.0 hacking techniques like CSRF and click-jacking to make calls<b= > r> > &gt; to and access private-cloud infrastucture&#39;s web interfaces via<br> > &gt; legitimate private-cloud user&#39;s web browsers. While impersonating = > the<br> > &gt; user privilege of the logged-in browser, the APT will access and mine<= > br> > &gt; all data accessible to the private-cloud user. Additional activities<b= > r> > &gt; detected including taking actions within the private-cloud application= > <br> > &gt; on behalf of the user.<br> > &gt;<br> > &gt; The exploitable platforms are multi-vendor and widespread, and we fear= > <br> > &gt; that attacks such as this have already become common. Due to the<br> > &gt; difficulty in monitoring for these complex, multi-step attacks, often<= > br> > &gt; using requests types not commonly logged, it is unlikely the majority<= > br> > &gt; of Cross-Cloud Injection attacks are being detected today.<br> > &gt;<br> > &gt; ::Exploit details::<br> > &gt;<br> > &gt; 1. Malware: The attacker first creates an image to be deployed to a<br= > > > &gt; public cloud. This image typically includes an operating system like<b= > r> > &gt; Windows, or shareware like Linux. And a web server. It will also<br> > &gt; include malicious web application content usually in the form of PHP<b= > r> > &gt; web pages and/or SWFs, to be used in the data mining operation phase<b= > r> > &gt; of the attack.<br> > &gt;<br> > &gt; 2. Deployment: Next the attacker will upload the image, often<br> > &gt; virtualized, to a public cloud. This typically requires authentication= > <br> > &gt; but in all cases observed the attackers have already gained access to<= > br> > &gt; legitimate userIDs and passwords. When these components are deployed<b= > r> > &gt; together on a public cloud this scenario is commonly referred to as<br= > > > &gt; &quot;APT&quot; (Advanced Persistent Threat)<br> > &gt;<br> > &gt; 3. Phase One: Public-Cloud user Attack -- The attacker will take their= > <br> > &gt; malware and integrate it into Web 2.0 applications like Facebook under= > <br> > &gt; the guise of a legitimate application. Then APT is often disguised as<= > br> > &gt; an online game using farming implements and leveraging monotonous<br> > &gt; clicking to maximize the amount of time the user leaves the<br> > &gt; application running. This, as we will see in turn, increases the<br> > &gt; attack window of exposure allowing for deeper data mining by the APT<b= > r> > &gt; malware running in the user&#39;s browser.<br> > &gt;<br> > &gt; Once the APT is on the social network the attacker waits for users to<= > br> > &gt; access it with their web browser. Once a user executes the application= > <br> > &gt; the second phase of the attack begins.<br> > &gt;<br> > &gt; 4. Phase Two: Private-Cloud user attack -- The APT malware will now<br= > > > &gt; attempt to access applications within the user&#39;s virtual private<b= > r> > &gt; cloud. This often takes the form of the APT leveraging benign seeming<= > br> > &gt; features within the online &quot;game&quot;, allowing the APT to acces= > s the<br> > &gt; user&#39;s email address book locally or ACROSS both Public and Privat= > e<br> > &gt; Cloud email and contact systems. If the user allows the malware to<br> > &gt; continue executing it is possible to mine all contacts from both<br> > &gt; Public and Private cloud messaging systems and begin replicating it&#3= > 9;s<br> > &gt; attack across all users.<br> > &gt;<br> > &gt; Additional potential and likely threats from this APT execution includ= > e:<br> > &gt; + potential to mine all data from all systems accessible via a web<br> > &gt; browser with both idempotent and non-idempotent web requests<br> > &gt; + set APT Spy-Cookies and Geolocating Tracking-Cookies<br> > &gt;<br> > &gt; ::Remediation::<br> > &gt; There are no known immediate remediation steps available. Mitigations<= > br> > &gt; steps include:<br> > &gt; + Only use secure web browsers<br> > &gt; + Only use trusted, secure web applications<br> > &gt; + Disable Javascript<br> > &gt; + Disable dangerous plugins in the browser<br> > &gt; + Disable or remove any insecure web browsers you have installed to<br= > > > &gt; avoid accidental use<br> > &gt;<br> > &gt; ::Reference::<br> > &gt; The Cloud Web Large Server Alliance sponsors the CWLS Virtual Security= > <br> > &gt; Research Team responsible for discovering this new attack vector.<br> > &gt; Future updates can be tracked on the CWLS website using this unique<br= > > > &gt; identifier: CWLS Disclosure ID: CWLS20110104<br> > &gt;<br> > &gt; APT (Advanced Persistent Threat):<br> > &gt; <a href=3D"http://en.wikipedia.org/wiki/Advanced_Persistent_Threat" ta= > rget=3D"_blank">http://en.wikipedia.org/wiki/Advanced_Persistent_Threat</a>= > <br> > &gt;<br> > &gt; Cloud Computing:<br> > &gt; <a href=3D"http://en.wikipedia.org/wiki/Cloud_computing" target=3D"_bl= > ank">http://en.wikipedia.org/wiki/Cloud_computing</a><br> > &gt;<br> > &gt; Cloud Security:<br> > &gt; <a href=3D"https://cloudsecurityalliance.org/" target=3D"_blank">https= > ://cloudsecurityalliance.org/</a><br> > &gt; (note there is a gap in information regarding Cross-Cloud security)<br= > > > &gt;<br> > &gt; Code Injection:<br> > &gt; <a href=3D"http://en.wikipedia.org/wiki/Code_injection" target=3D"_bla= > nk">http://en.wikipedia.org/wiki/Code_injection</a><br> > &gt;<br> > &gt; CWLS Alliance:<br> > &gt; <a href=3D"http://cwlsalliance.roxer.com/" target=3D"_blank">http://cw= > lsalliance.roxer.com/</a><br> > &gt;<br> > </div></div><div><div></div><div class=3D"h5">&gt; ________________________= > _______________________<br> > &gt; The Web Security Mailing List<br> > &gt;<br> > &gt; WebSecurity RSS Feed<br> > &gt; <a href=3D"http://www.webappsec.org/rss/websecurity.rss" target=3D"_bl= > ank">http://www.webappsec.org/rss/websecurity.rss</a><br> > &gt;<br> > &gt; Join WASC on LinkedIn <a href=3D"http://www.linkedin.com/e/gis/83336/4= > B20E4374DBA" target=3D"_blank">http://www.linkedin.com/e/gis/83336/4B20E437= > 4DBA</a><br> > &gt;<br> > &gt; WASC on Twitter<br> > &gt; <a href=3D"http://twitter.com/wascupdates" target=3D"_blank">http://tw= > itter.com/wascupdates</a><br> > &gt;<br> > &gt; <a href=3D"mailto:websecurity@lists.webappsec.org">websecurity@lists.w= > ebappsec.org</a><br> > &gt; <a href=3D"http://lists.webappsec.org/mailman/listinfo/websecurity_lis= > ts.webappsec.org" target=3D"_blank">http://lists.webappsec.org/mailman/list= > info/websecurity_lists.webappsec.org</a><br> > &gt;<br> > </div></div></blockquote></div><br></div> > > --001636e0b63452a3bd049fe21c8c-- > > > --===============0787354708290838694== > Content-Type: text/plain; charset="us-ascii" > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > Content-Disposition: inline > > _______________________________________________ > The Web Security Mailing List > > WebSecurity RSS Feed > http://www.webappsec.org/rss/websecurity.rss > > Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA > > WASC on Twitter > http://twitter.com/wascupdates > > websecurity@lists.webappsec.org > http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org > > --===============0787354708290838694==-- >