March 2011 Webapp Security Fengshui in Hong Kong (Researchers: AlanH0 x Darkfloyd, VXRL)

posted Oct 25, 2011, 7:11 AM by Anthony Lai

In these two months, We have done a large scale of simply vulnerability digging and check whether banks and companies have put controls in Web application. We have referred to OWASP Top 10 but only spent 10-15 minutes to each site. Amazingly, we have got over 120 vulnerabilities out of 80 companies. Some banks, listed companies and departments from Hong Kong government has carried out "regular" audit and penetration test, we are doubtful whether they are just running a scanner and find nothing, they feel safe and secure and treat security as a kind of "homework". Did they undertake real test? Did they undertake secure system development lifecycle? 

By the way, we have found that we could potentially dump thousand records of job applicants (name, address and phone as well as their applied position) from a well-known listed MNC company, we have reported this issue via a connection but they simply don't take care of the issue seriously. We will publish it in a few weeks if they do not pay attention to it.

In addition, we are glad some banks CERT teams have reached us for rectification and more details. 

We will sooner publish a detailed white paper with recommendation. Please stay tuned, dudes. By the way, the crawling for vulnerability is still on-going.

#1: SSL sounds secure but we could injected iFrame over SSL. Thank you to Hang Seng Bank's mistake.

#2: Browsing API documentation and Playing JSP and Servlet samples at HSBC server when you feel bored :-))

#3. Exposure of database server name, IP, admin ID and password via its search engine

#4. XSS and Injected iframes everywhere (including Merrill Lych, RBS and BNP)

#5 When you paid a great lump of money for penetration test and audit from Big 4 companies, what is your feeling if their sites' basic web vulnerabilities could not be found and fixed? :-)
** The blog message could be found in AttackResearch as well. Thank you to my good research fellow, Val and Colin:

October 2010 Stuxnet Analysis
We have found comprehensive analysis reports from various security and anti-virus companies:


Antiy Lab (Sent to you before); Chinese version could be found from Antiy
Kaspersky (No softcopy available yet but please follow up if you have got the copy)

July 2010 APT never dies
Author: Darkfloyd
I simply published one with my Taiwanese research fellow