Michele Spagnuolo


Abusing JSONP with Rosetta Flash

First presented at Hack In The Box: Kuala Lumpur - October 15, 2014

In this paper we present Rosetta Flash (CVE-2014-4671, CVE-2014-5333), an exploitation technique that involves crafting charset-restricted Flash SWF files in order to abuse JSONP endpoints and allow Cross Site Request Forgery attacks against domains hosting JSONP endpoints, bypassing Same Origin Policy.

With this attack it is possible to make a victim perform arbitrary requests to the domain with the JSONP endpoint and exfiltrate potentially sensitive data, not limited to JSONP responses, to an attacker-controlled site.

High profile Google domains, YouTube, Twitter, LinkedIn, Yahoo!, eBay, Mail.ru, Flickr, Baidu, Instagram, Tumblr and Olark have had or still have vulnerable JSONP endpoints at the time of writing. Popular web development framework Ruby on Rails and MediaWiki also addressed this vulnerability. Rosetta Flash has been nominated for a Pwnie Award and won an Internet Bug Bounty by HackerOne.

Rosetta Flash paper - Slides .

BitIodine: Extracting Intelligence from the Bitcoin Network

Master thesis work - University of Illinois at Chicago - Politecnico di Milano

BitIodine design

Bitcoin, the famous peer-to-peer, decentralized electronic currency system, allows users to benefit from pseudonymity, by generating an arbitrary number of aliases (or addresses) to move funds. However, the complete history of all transactions ever performed in the Bitcoin network, called blockchain, is public and replicated on each node. The data contained into the network is difficult to analyze manually, but can yield a high number of relevant information.

In this thesis we present a modular framework, BitIodine, which parses the blockchain, clusters addresses that are likely to belong to a same user or group of users, classifies such users and labels them, and finally visualizes complex information extracted from the Bitcoin network.

BitIodine allows to label users automatically or semi-automatically with information on who they are and what they do, thanks to several web scrapers that incrementally update lists of addresses belonging to known identities, and that connect information from trades recorded in exchanges, thus allowing to trace money entering and exiting the Bitcoin economy. BitIodine also supports manual investigation by finding paths and reverse paths between two addresses or a user and an address.

We test BitIodine on several real-world use cases. For instance, we find a connection between the founder of the Silk Road, the famous black market operating in Bitcoin, and an address with a balance exceeding 111,114 BTC, likely belonging to the encrypted Silk Road cold wallet. In another example, we investigate the CryptoLocker ransomware, a malware that encrypts the victim's personal files with strong encryption, asking for a ransom to be paid in order to release the files. Starting by an address posted on a forum by a victim, we accurately quantify the number of ransoms paid and get information about the victims.

We will release BitIodine to allow the community of researchers to enhance it, thanks to its modular infrastructure. Our hope is that it can become the skeleton for building more complex frameworks for Bitcoin forensic analysis.

BitIodine: Get more from the blockchain - demo site

BitIodine: Extracting Intelligence from the Bitcoin Network - Thesis .

Michele Spagnuolo, Federico Maggi and Stefano Zanero - BitIodine: Extracting Intelligence from the Bitcoin Network (Financial Cryptography and Data Security 2014).

BitIodine presentation .

Using Parse Tree Validation to Prevent SQL Injection Attacks

Based on Using Parse Tree Validation to Prevent SQL Injection Attacks by Gregory T. Buehrer, Bruce W. Weide, and Paolo A. G. Sivilotti.

An SQL injection attack targets interactive web applications that employ database services. Such applications accept user input, such as form fields, and then include this input in database requests, typically SQL statements. In SQL injection, the attacker provides user input that results in a different database request than was intended by the application programmer. That is, the interpretation of the user input as part of a larger SQL statement, results in an SQL statement of a different form than originally intended. We describe a technique to prevent this kind of manipulation and hence eliminate SQL injection vulnerabilities. The technique is based on comparing, at run time, the parse tree of the SQL statement before inclusion of user input with that resulting after inclusion of input.

I wrote a simple Bison grammar for a subset of SQL and a lexer in Flex, then a PHP frontend that presents the user differences between parse trees of two queries: a reference query and a query to test.

Using Parse Tree Validation to Prevent SQL Injection Attacks - Flyer .

Web demo on this site .