OWASP Top 10 2013 – A9 – Using Components with Known Vulnerabilities

> I didn’t even know we had this old thing!

You know, keeping things up to date is something you pretty much have to do, but the web doesn’t really make it easy. There’s a plethora of things to remember to patch: the proxies, the web server, the web application, any dependencies, and even the front-end libraries themselves! How often do you update your version of jQuery?

There are two distinctly different types of using vulnerable components:
1. Using something that is vulnerable
2. Using something that is end of life

Deceased software

While something that is “end of life” doesn’t mean that it actually is vulnerable – it usually does – though you’ll be out in the cold in case something happens. Some kid discovers the next big vulnerability against Framework Buzzword, and you have no patch coming.

End of life simply means that the company, vendor, or developer who makes the software will no longer maintain it with security updates.

A note on open source projects
Larger projects will most likely keep an up-to-date list with whatever versions and branches they’re supporting, smaller ones might not. Projects on for example GitHub might not have an active community, a low level of support, and no guarantee when it comes to maintenance. For these types of projects, declaring the end of life is hard. In the end, you will have to accept responsibility for applying patches yourself or having a contingency plan in case something happens.

Danger ahead – vulnerable software in use

Though, obviously, software doesn’t have to be end of life to be vulnerable. Sometimes running an out of date version can be dangerous, depending on the associated vulnerabilities.

So what does that mean? Well, simply put, the community keeps track of and share knowledge on software vulnerabilities. Sometimes the specifics are disclosed (perhaps together with a demo), meaning that anyone with some technical know-how could go ahead and exploit anything running that software. Though sometimes only the fact that there is *something* wrong is disclosed.

How to disclose vulnerabilities is a completely different topic.

So what, no one knows if we’re running this and this version!

Wrong. The internet knows.

There are huge searchable databases that can be used to find services and applications running this and this version of that and that software. You could even use Google (with some limitations)!

Okay. Fair enough. But who would attack us?

Probably someone with nothing better to do, depending on the vulnerability. As time goes on, the likelihood of someone building a utility to automatically exploit the vulnerability increases. And when there is a tool for it, anyone (even a twelve-year-old) could use it – no skill required.

> Damn script kiddies.

So to summarise, the final thoughts:
A. Update your software, dependencies, components, whatever
B. Plan to migrate or upgrade from soon-to-be abandoned software

Sharing Your Hotel WiFi Voucher With Yourself

If you are in a foreign country, away from home, staying at a hotel, chances are you have horrible data roaming. Whether it is speed or cost, you want to get connected to a wifi hotspot as soon as possible.

Security problems aside, one of the issues with paid (or given as a pre-paid voucher to staying guests) wifi is that the system has some form of access controls. Most often your browser will get hijacked and taken to the log-in page. When you authenticate, the hotspot associates your MAC address with the credentials you supplied, and you are free to browse the internet.

Well, what happens if this association is permanent? I.e. once you log in with your computer, only that computer can use the hotspot. What about your phone? What about other devices? In such case, you have purchased internet access, but the access is restricted to one appliance, instead of one person.

There may be terms and conditions which you could violate by bypassing the restriction. Read them and see if you’re allowed to connect other devices.

Meh. So how could we get around it?

Solution: share internet from this device.
So you got internet on your phone. Good. Share this access via cable or bluetooth (or wifi, perhaps) with your other devices. Problem solved! Quick and easy, if your phone supports it.
You could do this with your laptop as well, but you would probably need an external wireless network card as well.

Solution: use the same MAC address.
Note the MAC address of your phone, and then associate the account with your phone. When you want to use your laptop, simply change the MAC of your wireless interface to that of your phone. Disconnect your phone before you connect your laptop.
On Linux, you would run something like “sudo ifconfig wlan0 hw ether aa:bb:cc:dd:ee:ff”, where wlan0 is your wireless interface and the a-f is the MAC of your phone.

Extending the Wired Network Without any Cables

In the time before wireless, we used copper cables to get connected to the rest of the internet. That worked fine, until WiFi made us lazy cable-hating internet consumers. If you need cable connection, then the cat6 should be inside your walls. But preferably you shouldn’t have any cables at all. And if you’re living in a house where you can’t do cable management inside the walls, there are special ethernet-via-power-outlet appliances you can get as a workaround.

I don’t trust those appliances. They are lousy. But I needed a wired connection to my Raspberry Pi and NAS, which just happened to be in the other side of my apartment, some very-far distance from my router. How do I do that?

Well, I could ignore the fact that cables are an eye sore, and condition myself to not see a potential cable running along the walls (or across the floor, most likely). But I’d probably never hear the end of it whenever someone came to visit.

I could move the devices, although that wouldn’t be much fun.

I could try to fit the devices with WiFi. Finally, an idea which seemed promising! The Raspberry Pi could run a wireless adapter, and then bridge that via the ethernet port to the NAS. The speeds would be terrible, it would be rather unstable, and it would not support any additional network devices… but it would do the job.

Finally, I looked around and purchased a €10 wireless router which I then hooked up as a client to my existing wireless network. The configuration bridges the 4 ethernet ports with the rest of my network. It’s not as cheap as using a cable, but it’s a pretty inexpensive solution anyway. I haven’t benchmarked the speeds, but
I haven’t run into any issues thus far with it :).

This Blag Ain’t Dead Yet!

All right, all right, I admit there has not been a content update in quite a while now, but that doesn’t mean that the blog is dead! It’s still very much alive and still going strong with some a lot of daily visits.

The life signs might have been weak, but that doesn’t mean that the heart wasn’t beating. I’ve still been doing the required WordPress-maintenance; approving comments, updating, emptying the spam (some 14k messages per time!). So why didn’t I write?

I’d say time constraints. But that’s only half the truth.

I’d say that I’ve done nothing interesting, nothing that is worth writing about. But that simply wouldn’t be true.

It’s more a combination between having a lot of other engaging projects, together with already having too much stuff to write for other purposes.

Oh well.

Let’s see if we can get this blag moving again :).

Raspberry Pi – Is It Worth Getting One?


I’ve previously written a little bit about the Raspberry Pi, but mostly about specific things. And when I hear people talking about the RPI, it’s mostly about specific things. So, what about the whole picture? Is it worth getting a RPI?

Yes. Go get one if you don’t already have one.

Some uses:
Music player
Video player / handle a display (Synergy is available)
Lightweight HTPC
Shell server
Hardware hacking / Prototyping
Web server
Cheap NAS
BitTorrent server
OwnCloud server
Security camera

You’re getting a cheap all-in-one computer with low power consumption and good connectivity capable of running more or less any simple service. If you’re into hardware hacking you got GPIO pins and quite a lot of community support and sample code to get started. I recently got a RGB LCD screen (warning: a lot of soldering required :3!).

Raspberry Pi is overall a good platform for a lot of purposes, which becomes its true strength. Because it often falls short compared to other platforms. You can run a web server with OwnCloud, but it will be slow. You can share your old external hard drive and use it as a NAS, but don’t expect any rapid transfers. There are a few games that will run, but the experience is better elsewhere. It can play music but the audio isn’t great and might feature some static.

I can’t complain on the video, though. It can play 1080p with audio via HDMI as long as the bitrate isn’t too high, which is amazing. 720p works flawlessly. There are images optimized for HTPC usage available. But then again, you want to play h.264. I haven’t tried any other codec, but unless there is hardware acceleration available, it will be sluggish.

The bottom line is that the Raspberry Pi is slow. The ARM processor isn’t very strong, especially with graphics. The included python games feature delay and feel non-responsive, and web browsing is impossible using an ordinary browser. The included lightweight browser makes a good job, but it still isn’t good enough. You will be disappointed with the performance if you have any expectations at all.

For the price, and seeing how well-balanced it is, it’s sure worth getting one. There are a lot of uses for a silent all-in-one computer. Sometimes a lot of horsepower isn’t required, and this is where the RPI shines.

Home Network Storage With Point and Click ZFS!


I’ve kind of forgotten to post about my “new” NAS, which sort of replaced my old Buffalo Link Station Live 3Tb.

I had somewhat of a complicated relationship with the Link Station – on one hand it “did what it was supposed to”, but on the other hand it didn’t do anything else. Yes, it had a lot of nice features, but it couldn’t run them because then it would run out of system resources.

So when I upgraded my PC (as in bought a new one, reused the SSD and one drive), I was thinking of converting the leftover hardware into a NAS.

I wanted the following features:
* More than 3T storage in one logical drive
* One disk redundancy
* Portability (Can restore volume on another machine)
* Semi-future-proof
* Silent (as in I should be able to sleep with it on)
* Encryption

Since I’m mostly familiar with Linux, I looked into some software-RAID possibilities. The idea was that I could install a distro onto a flash drive, thereby saving an internal HDD slot, and run a software RAID creating both one logical drive and giving me redundancy.

While researching, a friend of mine lost his array due to software error (probably some human error too, perhaps) when the system drive got corrupted. I didn’t like the idea that some setups required configuration on the system disk because then the setup wouldn’t be portable in case of a system failure.

I’ve had my eye on ZFS for some time, but never got around to implementing it because of the hardware requirements. Suddenly ZFS looked like a much better option. Originally I kind of wanted to run services on my NAS as well, which probably wouldn’t be possible with the kind of memory ZFS requires. However, I knew that if I were to run a multitude of services on the same machine which also hosted all my files, I’d eventually break something important. So perhaps, I thought, it’d be better to just go for ZFS.

Point and click ZFS? FreeNAS!

FreeNAS works flawlessly for me, albeit a bit slow at times. That might not be FreeNAS fault, though, it could be my SATA controller. It’s currently hosting 3x1T and 3x3T of storage, shared over a gigabit interface.

The admin web interface is very responsive and the only operation that actually takes a while is volume mounting, which is to be expected. It’s only done once per reboot anyway. You have access to pretty much all configuration from there, and a (somewhat laggy) terminal. A regular console is available if you plug in a display and keyboard.

Finally, let’s round it up with a little bit of pros and cons.

Point and click ZFS, with disk encryption and network sharing.
Extensive admin web interface.
Based on FreeBSD.
Can run from a CD or USB drive.

If something breaks you might have to bring up a terminal.
You can’t put files on the flash drive, i.e. scripts etc.
Could have been better at displaying system information, like S.M.A.R.T details and disk temperature.

Bottom line: go install FreeNAS if you need a file storage machine!

Move a VirtualBox Virtual Disk

It’s actually embarrassingly easy, really.

Go to File > Virtual Media Manager and select the disk you want to move. Make sure the machine using it is offline, and press Release. This will disassociate the disk form the machine. Then chose Remove and opt to keep the disk image. That’s important, because otherwise you’ll lose your data!

Proceed and move the disk file to the new location.

Open settings for the virtual machine using the disk, go to Storage, select Controller: SATA and tap the Add button below the list and chose Hard Disk. Opt to pick an existing disk and find yours using the file browser.


VirtualBox doesn’t allow you to import disks already mounted or already tracked by the platform. Every disk has a unique ID which identifies it, which means that simply copying and trying to attach the copy won’t work at all.

How to import the OWASP Broken Web Applications virtual machine in VirtualBox

Step 1

Download the OWASP BWA files: https://www.owasp.org/index.php/OWASP_Broken_Web_Applications_Project

Step 2

Create a folder and extract all files there. Probably a good idea to put the folder right next to your other virtual machines, if you have any. This folder shouldn’t move around.

Step 3

Open VirtualBox and create a new machine named OWASP BWA (or whatever) as Linux/Ubuntu. Set RAM to something appropriate (I’m using 2Gb because I can).

Use existing hard drive, select the files you just extracted.

Step 4



You might want to fiddle around with various settings, like bridging the network interface etc. It’s not recommended to allow anyone since OWASP BWA contains multiple security holes, though.