Whitepaper called Exploiting Web 2.0, Real Life XSS-Worm.

No Starch Press: $49.95

If you are a security engineer, a researcher, a hacker or just someone who keeps your ear to the ground when it comes to computer security, chances are you have seen the name Michal Zalewski. He has been responsible for an abundance of tools, research, proof of concepts and helpful insight to many over the years. He recently released a book called "The Tangled Web - A Guide To Securing Modern Web Applications".

Normally, when I read books about securing web applications, I find many parallels where authors will give an initial lay of the land, dictating what technologies they will address, what programming languages they will encompass and a decent amount of detail on vulnerabilities that exist along with some remediation tactics. Such books are invaluable for people in this line of work, but there is a bigger picture that needs to be addressed and it includes quite a bit of secret knowledge rarely divulged in the security community. You hear it in passing conversation over beers with colleagues or discover it through random tests on your own. But rarely are the oddities documented anywhere in a thorough manner.

Before we go any further, let us take a step back in time. Well over a decade ago, the web was still in its infancy and an amusing vulnerability known as the phf exploit surfaced. It was nothing more than a simple input validation bug that resulted in arbitrary code execution. The average hacker enjoyed this (and many more bugs like it) during this golden age. At the time, developers of web applications had a hard enough time getting their code to work and rarely took security implications into account. Years later, cross site scripting was discovered and there was much debate about whether or not a cross site scripting vulnerability was that important. After all, it was an issue that restricted itself to the web ecosystem and did not give us a shell on the server. Rhetoric on mailing lists mocked such findings and we (Packet Storm) received many emails saying that by archiving these issues we were degrading the quality of the site. But as the web evolved, people starting banking online, their credit records were online and before you knew it, people were checking their social network updates on their phone every five minutes. All of a sudden, something as small as a cross site scripting vulnerability mattered greatly.

To make the situation worse, many programs were developed to support web-related technologies. In the corporate world, being first to market or putting out a new feature in a timely fashion trumphs security. Backwards compatibility that feeds poor design became a must for any of the larger browser vendors. The "browser wars" began and everyone had different ideas on how to solve different issues. To say web-related technologies brought many levels of complexity to the modern computing experience is a great understatement. Browser-side programming languages, such as JavaScript, became a playground for hackers. Understanding the Document Object Model (DOM) and the implications of poorly coded applications became one of those lunch discussions that could cause you to put your face into your mashed potatoes. Enter "The Tangled Web".

This book puts some very complicated nuances in plain (enough) english. It starts out with Zalewski giving a brief synopsis of the security industry and the web. Breakdowns of the basics are provided and it is written in a way that is inviting for anyone to read. It goes on to cover a wide array of topics inclusive to the operation of browsers, the protocols involved, the various types of documents handled and the languages supported. Armed with this knowledge, the reader is enabled to tackle the next section detailing browser security features. As the author puts it, it covers "everything from the well-known but often misunderstood same-origin policy to the obscure and proprietary zone settings of Internet Explorer". Browsers, it ends up, have a ridiculous amount of odd dynamics for even the simplest acts. The last section wraps things up with upcoming security features and various browser mechanisms to note.

I found it a credit to the diversity of the book that technical discussion could also trail off to give historical notes on poor industry behavior. When it noted DNS hijacking by various providers it reminded me of the very distinct and constantly apparent disconnect between business and knowledge of technology. When noting how non-HTTP servers were being leveraged to commit cross site scripting attacks, Zalewski also made it a point to note how the Internet Explorer releases only have a handful of prohibited ports but all other browsers have dozens that they block. The delicate balance of understanding alongside context is vital when using information from this book and applying it to design.

Every page offers some bit of interesting knowledge that dives deep. It takes the time to note the odd behaviors small mistakes can cause and also points out where flawed security implementations exist. This book touches on the old and the new and many things other security books have overlooked. Another nice addition is that it provides security engineering cheatsheets at the end of each chapter. To be thorough, it explains both the initiatives set out by RFCs while it also documents different paths various browser vendors have taken in tackling tricky security issues. Google's Chrome, Mozilla's Firefox, Microsoft's Internet Explorer, Apple's Safari and Opera are compared and contrasted greatly throughout this book.

In my opinion, the web has become a layer cake over the years. New shiny technologies and add-ons have been thrown into the user experience and with each of them comes a new set of security implications. One-off findings are constantly discovered and documented (and at Packet Storm we try to archive every one of them), but this is the first time I have seen a comprehensive guide that focuses on everything from cross-domain content inclusion to content-sniffing. It is the sort of book that should be required reading for every web developer.

 -Todd

This Metasploit module exploits an unauthenticated remote PHP code execution vulnerability in IBM OpenAdmin Tool included with IBM Informix versions 11.5, 11.7, and 12.1. The 'welcomeServer' SOAP service does not properly validate user input in the 'new_home_page' parameter of the 'saveHomePage' method allowing arbitrary PHP code to be written to the config.php file. The config.php file is executed in most pages within the application, and accessible directly via the web root, resulting in code execution. This Metasploit module has been tested successfully on IBM OpenAdmin Tool 3.14 on Informix 12.10 Developer Edition (SUSE Linux 11) virtual appliance.

Where the river meets the sea, there is the potential to harness a significant amount of renewable energy, according to a team of mechanical engineers at MIT.

Halifax Regional Municipality of Nova Scotia, Canada, is the first Canadian city to use an in-pipe hydroelectric generation system within a pressurized water distribution pipeline, according to Halifax Water. On Nov. 13, a 32-kW generating system within a drinking water distribution control chamber for Halifax Water began providing power.

In early 2013, a group of women, dubbed the Women in Power committee, assembled in Orlando, Florida to figure out how to honor women who have dedicated their careers to the power industry. The industry is male-dominated with men making up more than 75 percent of the workforce, according to estimates.

Technology and equipment giant Siemens AG has decided to sell its tidal energy company, Marine Current Turbines Ltd., citing slow development in the marine and hydrokinetics sector.

The Brazilian government is seeking to award contracts in an auction tomorrow for natural gas- and coal-fueled power plants, reversing a drive that previously favored renewable-energy projects. It would lead to the first new thermal plants in three years, after the government scaled back such projects and awarded wind contracts starting in 2009 and solar energy earlier this year.

A new report by utility and finance experts contains positive news for the environment, our air and our (and our utilities’) pocketbooks — the economics of electric power resources have made zero-emissions energy efficiency and renewable energy technologies the most financially attractive options to meet the nation’s future energy demands.

The downfall of two leading marine- energy developers is damping hope that the emerging industry, which has already lost almost $1 billion, will ever get the technology to market.

The advice that Pennwell’s 2014 Woman of the Year, Mary Powell, gave to women in the power industry during Tuesday’s Women in Power Luncheon might come as a surprise to some. It was this: Stop undercutting each other. Powell said the most difficult obstacles she has encountered in her various leadership roles have not come from men, but rather from other women. Small comments like “I don’t know how you do it [being a mom and holding a high-level job]”, serve to bring doubt and uncertainty to high achieving women in any industry, and ultimately can lead to women exiting their careers in order to fit what they perceive is the societal norm.

The siren call of 2020 corporate environmental sustainability goals is quickly getting louder, as corporate leaders realize they must go further today to achieve their sustainability targets for tomorrow. Increased use of renewable energy is an ambitious goal for some of the world’s largest companies, as 59 percent of the Fortune 100 and nearly two-thirds of the Global 100 have set GHG emissions reduction commitments, renewable energy commitments or both, according to a recent Ceres’ report, Power Forward: Why the World’s Largest Companies Are Investing in Renewable Energy. One global consumer products company, for example, plans to derive 30 percent of its energy from clean sources by 2020.

The Detroit Power Outage brought eight hours of hardship to Detroit on Dec. 2 — hardship that could have been averted with microgrids.

In May of 2014, Speaker of the House John Boehner responded to a climate change question with, “listen, I’m not qualified to debate the science over climate change. I am astute to understand that every proposal that has come out of this administration to deal with climate change involves hurting our economy and killing American jobs. That can’t be the prescription for dealing with changes to our climate.” Speaker Boehner is not the only one reluctant to enter into the debate on climate change. In a March interview Mitch McConnell responded to a climate change remark with, “For everybody who thinks it's warming, I can find somebody who thinks it isn't…”

As an industrial powerhouse and the world’s largest energy consumer, China is fortunate to have abundant coal and hydropower resources. However, to meet demand in the east and south of the country, planners continue to seek new ways to generate local energy. In addition, plans call for development that reduces the use of fossil fuels as a way to also reduce air pollution.

Germany’s utilities, battered by the country’s shift to wind turbines and solar panels, would be glad to sell you a power plant on the cheap. They’ll even pack it up and ship it to another country.

In a previous article, I had a conversation with former-CIA chief Jim Woolsey to discuss one of America’s greatest national security vulnerabilities, its power grid. The issues that Woolsey has been concerned with for over a decade has been the ease in which a terrorist group or other actor (think North Korea for example) could attack the grid and plunge the country into darkness for months, if not years. And if that seems far-fetched, just recall how a tree limb fell in Ohio in 2003 and blacked out the entire Northeast and part of Canada for several days.

Last year the U.S. Environmental Protection Agency (EPA) proposed its aggressive Clean Power Plan (CPP), which calls to reduce carbon emissions 30 percent by 2030 over 2005 levels. States are required to submit reduction plans that can include increasing renewables, efficiency, and cap and trade programs by June 2016.

For many mining companies, the rallying cry for investigating solar or wind energy options has been that the price of oil and other conventional fuels is too high — and will almost certainly rise over time. Now, though, with oil prices having taken a dramatic nosedive, this argument no longer packs quite the same punch that it once did.

Actress Natalie Portman, environmentalist Robert F. Kennedy, Jr., and other high-profile Harvard University alumni are calling for demonstrations to urge divestment from fossil fuels.

Sweden and Norway agreed to boost their target for renewable energy production amid concerns the additional capacity will exacerbate a power glut and strain the region’s electricity grid.

The U.K. company planning the world’s first tidal-lagoon power station said its next plant may generate electricity at almost half the price.

Beijing, where pollution averaged more than twice China’s national standard last year, will close the last of its four major coal-fired power plants next year.

U.K. electricity from low-carbon sources accounted for almost a quarter of the country’s generation in the fourth quarter as Drax Group Plc converted a second coal-power plant to burn wood.

Global investment in clean energy slumped 15 percent in the first quarter to the lowest level in two years because of a decline in wind and utility-scale projects.

We've made great progress with renewable energy — but from an almost zero base we still have a long way to go. Fortunately, the path is clear. California is already over 12 percent with a combination of hydroelectric, wind and solar (unfortunately not much hydro this year). Getting to 50 percent only requires the deployment of existing technology. But can we get to 100 percent?

Australia’s largest electricity producer committed to close its coal-fired power plants within 35 years as part of an effort to cut the nation’s dependence on the fossil fuel.

Last June, the Environmental Protection Agency (EPA) proposed the first ever national carbon pollution standards for existing power plants. Fossil fuel-fired power plants account for almost 40% of U.S. carbon dioxide emissions, making them the largest source of greenhouse gas emissions in the nation and one of the single largest categories of greenhouse gas sources in the world.

A $2 trillion push in the U.S. to blend renewable energy into the power supply and fortify transmission lines against extreme weather means that Americans must act more like Europeans to keep their power costs down.

Japan anticipates that by 2030 clean energy such as solar and hydro will generate slightly more of the nation’s electricity than nuclear power plants.

North Rhine-Westphalia, the German state that’s home to utilities RWE AG and EON SE, is losing its standing as the country’s powerhouse as wind and solar energy begin to displace conventional sources.

Electricity consumers in the western state, which has one-third of Germany’s installed conventional power capacity, last year paid 3.1 billion euros ($3.5 billion) more to subsidize clean energy generation than producers there were awarded, the BDEW utility lobby said in a report Tuesday. The biggest recipient was Brandenburg in the east with a positive balance of 838 million euros.

Last week, Canada has announced its contribution to the global effort to reduce greenhouse gases by announcing its post-2020 target. The target announced today is off-track to the 80 percent cut by 2050 they committed to in 2009 and significantly higher than the U.S. target. They also announced a series of new measures, but failed to address their largest source of growing emissions — tar sands.

A new government analysis of President Barack Obama’s signature effort to fight climate change affirms what critics suspected: the proposal could further weaken an already battered coal industry.

Oregon Gov. Kate Brown, Democrat, has proclaimed “July 13-17, 2015 to be Oregon Wave Week in Oregon and encourages all Oregonians to join in this observance.”

Here’s a nightmare for you: at night, when you’re asleep and you think things are quiet, there are vampires sucking power out of your house and increasing your electric bill. The fact of the matter is that every plugged in electrical device in your home uses a small amount of standby power -- even if you think these devices are off.

After a year of being pummeled by opponents, Obama’s final carbon reduction plan emerged this week with an even stronger push for renewable energy.

Wind and solar energy are centerpieces of the Clean Power Plan, the United States’ first ever rule to reduce carbon dioxide from power plants.

The rule not only makes renewables one of the plan’s three central building blocks, but also creates special incentives to spur communities to build renewables more quickly than required.

The revised version of the rule comes after a year of review, hundreds of meetings and 4.3 million public comments delivered to EPA.  It requires that states come up with plans to cut carbon pollution from power plants by 870 million tons, or 32 percent below 2005 levels, in 2030.

Chile's Schwager Energy and China-based Shenyang Yuanda Commercial & Investment Co. signed a memorandum of understanding on Nov. 3 to build the 3-MW Los Pinos run-of-the-river hydroelectric plant in southern Chile's Lagos region, according to BN Americas.
 

Power Africa and Trade Africa Coordinator, Andrew Herscowitz, announced on Feb. 14 during the Abuja Electricity Distribution Co.’s two-day Distribution Company Workshop in Abuja, Nigeria, that the U.S. will invest US$1billion in the country through the U.S. Trade and Development Agency (USTDA).