VoIP and WebRTC
Security Articles and News

SIPVicious OSS 0.3.0 released

It’s been a few years since we released a new version of SIPVicious. Truth is, we were working on SIPVicious PRO which we started making available to some of our clients. Many people still use the open-source version of SIPVicious and it is included in various pentest Linux distributions, and definitely is useful to a number of people (especially after they change the user-agent string). And so, with the impending Python2 apocalypse, we decided to make a new release, porting SIPVicious OSS to Python 3 and including various updates that happened since 2015 in the master branch.

If SIPVicious gives you a ring…

Note: SIPVicious version 0.28 is out, go get it.

I like to keep an eye on the social media and Google alerts for SIPVicious and in the last few months I noticed a rise in mentions of the tools. Specifically, a number of Korean twitter users (who have their service with KT, a VoIP service provider) complaining about receiving a call from a caller-id showing ‘SIPVicious’.

Using XSS to switch off dotDefender 4.0

AppliCure’s dotDefender version 4.0 had a security flaw in the log viewing feature of the administrative interface. We just published an advisory for this vulnerability. Here’s the interesting part:

“The log viewer facility in dotDefender does not properly htmlencode user supplied input. This leads to a cross site scripting vulnerability when the log viewer displays HTTP headers.”

The following video shows how an attacker can make use of cross site scripting to get the system administrator to automatically switch off dotDefender. This effectively disables the WAF, leaving the web application exposed to any attacks that said WAF was supposed to protect against.

Setting the secure flag in the cookie is easy

TechRepublic had an interesting article about the Surf Jack attack. Many people commented, some giving their own solution to the problem. However many of these solutions do not prevent the attack because they do not really address it. Of course, who ever missed the details should check out the paper.

The attack has been addressed quite a while ago, and the solution is easy to implement in many occasions. So no need to reinvent the wheel or create a new solution which has not been peer reviewed yet. Here I’ll indicate how to set the secure flag in various languages / web application technologies. The idea is that besides making use of HTTPS instead of HTTP, one needs to set a flag in the cookie so that it cannot be leaked out in clear text.

Surf Jack - HTTPS will not save you

Say hello to a new security tool called Surf Jack which demonstrates a security flaw found in many public sites. The proof of concept tool allows testers to steal session cookies on HTTP and HTTPS sites that do not set the Cookie secure flag. I’ve been working with two banks and some of the vulnerable sites to get this fixed before publishing my research. Mike Perry gave a talk at Defcon involving the exact same vulnerability - so there is no point in keeping this from the public.