In many situations, minor vulnerabilities might seem like small fish in the vast ocean of cybersecurity threats. They’re often marked as low severity and thus, overlooked by developers who assume that the conditions for their exploitation are too complicated to be met. However, in this article, we’re going to challenge that assumption and show you …
XSS in WordPress via open embed auto discovery
Introduction Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires …
How to access data secured with BitLocker? Do a system update
Do you suffer from eternal lack of time for system updates? Finally managed to find a moment to install them, but you didn’t finish the whole process because you had to run out of the office? Is your data safe? Read this article to find out. As always in the IT world, it is difficult …
Amazon once again lost control (for 3 hours) over the IP pool in a BGP Hijacking attack
Last month, Amazon lost control of its cloud-based IP address pool for more than three hours, which allowed cyber criminals to steal $235,000 from users of one of AWS’s customers. Using BGP hijacking, hackers gained control over a pool of 256 IP addresses. Briefly describing the BGP protocol, it is a backbone – the basis …
SOCMINT – or rather OSINT of social media
SOCMINT is the process of gathering and analyzing the information collected from various social networks, channels and communication groups in order to track down an object, gather as much partial data as possible, and potentially to understand its operation. All this in order to analyze the collected information and to achieve that goal by making …
PyScript – or rather Python in your browser + what can be done with it?
PyScript – or rather Python in your browser + what can be done with it? A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in …
Part 3. Windows security: reconnaissance of Active Directory environment with BloodHound.
Collecting information about the domain environment with SharpHound A program that collects domain environment data – SharpHound is a component of the BloodHound tool. The collection of environmental data starts when SharpHound.exe is run on one of the computers. The entire BloodHound package can be downloaded (Figure 32) from the address: https://github.com/BloodHoundAD/BloodHound/releases After downloading and …
Part 1. Windows security: reconnaissance of Active Directory environment with BloodHound.
Windows security: reconnaissance of Active Directory environment with BloodHound. In this article we will take a closer look at the BloodHound tool – Six Degrees of Domain Admin. The application was developed in JavaScript and built using the Electron platform. The graphical visualization uses the Neo4j database. During the experiment, we will use a Windows …
Part 1. Windows security – what is LSASS dump. How to protect against it?
Windows security – what is LSASS dump. How to protect against it? The ability of Advanced Persistent Threat (APT) groups and other threat actors to take a dump of Windows credentials is a serious threat especially to enterprises and other organizations. The MITRE ATT&CK knowledge base, which is created primarily to support defense against cyber …
Remote code execution by fail2ban
In this article we will discuss a recently published vulnerability in quite popular software – fail2ban (CVE-2021-32749). Under the right conditions, this bug could be exploited to achieve code execution with root privileges. Luckily, it is difficult for a “normal” attacker to achieve. This vulnerability is rooted in a way the mail command from the …
Detecting threats to wireless networks with a free IDS-class tool: nzyme
Nzyme is a new Open Source software, created in a spare time by CTO Graylog Lennart Koopmann. In March this year, version 1.0 of “Kyle Canyon” was released. Nzyme is used to detect threats to wireless networks and belongs to the family of Wireless Intrusion Detection System (WIDS). This is probably the most interesting and …
Is running legacy software with no publicly known exploits safe?
There is a lot of legacy software running all over the network. This is an excellent example of technological debt. And the debt means that we are borrowing. We borrow time before compromise. It’s quite easy to identify that some software or system is outdated and no longer supported. Yet, it seems that no one …
Comparison of reverse image searching in popular search engines [OSINT hints]
A little experiment – comparison of Google, Bing and Yandax in terms of reverse image search. Guest post by Krzysztof Wosinski
fail2ban – Remote Code Execution
This article is about the recently published security advisory for a pretty popular software, fail2ban (CVE-2021-32749). It is about a bug that may lead to Remote Code Execution.
Helping secure DOMPurify (part 1)
In this blog post I share my experience with helping secure DOMPurify and trying to kill an entire class of bypasses
Mutation XSS via namespace confusion – DOMPurify < 2.0.17 bypass
In this blogpost I’ll explain my recent bypass in DOMPurify – the popular HTML sanitizer library. In a nutshell, DOMPurify’s job is to take an untrusted HTML snippet, supposedly coming from an end-user, and remove all elements and attributes that can lead to Cross-Site Scripting (XSS). This is the bypass: Believe me that there’s not …
Prototype pollution – and bypassing client-side HTML sanitizers
In this article I’ll cover the prototype pollution vulnerability and show it can be used to bypass client-side HTML sanitizers. I’m also considering various ways to find exploitation of prototype pollution via semi-automatic methods. It could also be a big help in solving my XSS challenge. Prototype pollution basics Prototype pollution is a security vulnerability, …
HTML sanitization bypass in Ruby Sanitize < 5.2.1
On Jun 16, 2020 a security advisory for Ruby Sanitize library was released about an issue that could lead to complete bypass of the library in its RELAXED config. I have found this bug during a penetration test conducted by Securitum, and in this post I’ll explain how I came up with the idea of …
Marginwidth/marginheight – the unexpected cross-origin communication channel
On 6th July 2020 I’ve announced a XSS challenge on my Twitter. So far only four people were able to solve it and every single one of them told me that they had never heard about the quirk used in the challenge before. So here’s a writeup explaining this quirk along with some backstory. The …
Art of bug bounty: a way from JS file analysis to XSS
Summary: During my research on other bug bounty program I’ve found Cross-Site Scripting vulnerability in cmp3p.js file, which allows attacker to execute arbitrary javascript code in context of domain that include mentioned script. Below you can find the way of finding bug bounty vulnerabilities from the beginning to the end, which includes: In depth analysis …
The Curious Case of Copy & Paste – on risks of pasting arbitrary content in browsers
This writeup is a summary of my research on issues in handling copying and pasting in: browsers, popular WYSIWYG editors, and websites. Its main goal is to raise awareness that the following scenario can make users exposed to attacks: The victim visits a malicious site, The victim copies something from the site to the clipboard, …
How to secure WordPress – step by step guide
The decision about which software we will use for a selected purpose is often made on the basis of an analysis of the time needed for its implementation and the total number of functions that this system will provide us with. However, it is likely that where comfort and time is a priority, safety will …
CSS data exfiltration in Firefox via a single injection point
A few months ago I identified a security issue in Firefox known as CVE-2019-17016. During analysis of the issue, I’ve come up with a new technique of CSS data exfiltration in Firefox via a single injection point which I’m going to share in this blog post.
Protecting against social engineering-based attacks – an introduction
On designing or analyzing the security in IT systems an important question which has to be taken into account, aside from the wide range of digital security solutions, is the fact that one of the key elements of each and every system is its interaction with the user. Unfortunately, in the prevailing number of cases …
XSS in GMail’s AMP4Email via DOM Clobbering
This post is a write up of an XSS in AMP4Email (obviously already fixed) I reported via Google Vulnerability Reward Program in August 2019. The XSS is an example of a real-world exploitation of well-known browser issue called DOM Clobbering.
Exploiting prototype pollution – RCE in Kibana (CVE-2019-7609)
Prototype pollution is a vulnerability that is specific to programming languages with prototype-based inheritance (the most common one being JavaScript). While the bug is well-known for some time now, it lacks practical examples of exploitation. In this post, I’m showing how to exploit it to achieve Remote Code Execution in Kibana.
JWT (JSON Web Token) (in)security
JWT (JSON Web Token) is a mechanism that is often used in REST APIs it can be found in popular standards, such as OpenID Connect, but we will also encounter it sometimes using OAuth2. It is used both in large companies and smaller organisations. There are many libraries available that support JWT, and the standard …
Write-up of DOMPurify 2.0.0 bypass using mutation XSS
Yesterday, a new version of DOMPurify (very popular XSS sanitization library) was released, that fixed a bypass reported by us. In this post I’ll show how exactly the bypass looked like preceded by general information about DOMPurify and how it works. If you are aware of how purifiers work and what mXSS is – you …
Server Side Template Injection – on the example of Pebble
Server-Side Template Injection isn’t exactly a new vulnerability in the world of web applications. It was made famous in 2015 by James Kettle in his famous blogpost on PortSwigger blog. In this post, I’ll share our journey with another, less popular Java templating engine called Pebble.
Security analysis of <portal> element
Portal is a fairly new HTML element that is currently supported only in Chrome Canary behind the #enable-portals flag. Their main objective is to enable seamless transitions to the web by pre-rendering content in an iframe-like element that can be then “promoted” (activated) to a top-level frame. In this article we focus of security analysis thereof.
HTTP 2 protocol – it is faster, but is it also safer?
Do we want the current web applications to run faster without additional expenditures on better network connection or server infrastructure? Yes, of course, and that was the main goal for the developers of the HTTP/2 protocol. To be more precise, it was about increasing the efficiency of communication between the client (in other words, the …
Basics of HTTP Protocol
Introduction HTTP headers, URLs, URIs, requests, responses, percentage encodings, HTML forms, parameters sent by the HTTP protocol, various HTTP server implementations resulting in security problems – these are just a few elements that I will address in this text. The beginner readers will learn the necessary basics to further explore the subject of web applications …
IT Infrastructure Reconnaissance – Part 3
In the previous parts of this series, I talked about various types of web engines useful in reconnaissance phase, and curiosities, which can be found with their help. During real tests, it can be different; sometimes, this phase can create critical errors. Often, however, it is possible to obtain only residual information about the target …
Another XSS in Google Colaboratory
Three months ago I described XSS which I found in Google Colaboratory. Before you start reading this article, I recommend you go back to the previous one first, because I am going to develop the topic which started there. In a nutshell, however, what previously happened: I was looking for XSS in Google Colaboratory (an …
Nmap and 12 useful NSE scripts
Nmap is the most popular free security scanner developed by Gordon Lyon (f.f. Fyodor Vaskovich). The first version of Nmapa was published on October 1, 1997, in the online magazine, Phrack. For those interested in the beginnings of this scanner, here is a full article that shows the capabilities and source code of the first …
IT Infrastructure Reconnaissance – Part 2 (Shodan, Censys, ZoomEye)
In the first part of this series I discussed the use of search engines as a source of information in the initial phase of the reconnaissance. As I mentioned in that article, search engines such as Google, Yahoo and Bing can allow you to search for information critical to security tests. The information presented below …
Security bug in Google Hangouts Chat desktop application – how to make Open Redirect great again
A few months ago Google released a new product – Hangouts Chat application, which was surely the answer of the American giant to the ubiquitous Slack. In short, it is a communication platform for teams, where you can simply chat, as well as exchange files, presentations, etc. You can use the Chat both in your …
IT infrastructure reconnaissance – part 1 (Google hacking)
The basis of web application or infrastructure security tests is a reconnaissance, i.e. the collection of all subdomains, IP addresses, and other publicly available information. It is a good practice to use several tools simultaneously during the reconnaissance, which of course, will greatly increase the effectiveness of this testing phase – information omitted by one …
Why you can not always trust web server logs?
Sketching the situation Let’s suppose we do a server post-breach analysis and manage to state the following: external access is possible only through a web application, and the web server is running with the privileges of an unprivileged user, the application is out-of-date and contains publicly known RCE vulnerability (remote code execution), the access_log, error_log …
XSS in Google Colaboratory + bypassing Content-Security-Policy
In the following text, I show an interesting XSS, which I found in February 2018 in one of Google’s applications. I show not only directly where this XSS was, but also what attempts I made to find this XSS and what dead ends I entered. In addition, an example of bypassing Content-Security-Policy with the use …
Single Code Line CCTV Camera Takeover – One Can Record Audio/Video/Have Access to Recordings
I have already presented this subject twice, but there was no information on the topic until now. The Ganzsecurity ZN-DNT352XE-MIR camera is worth about 5000 PLN. Securitum provides solutions to organisations such as NY Police, FBI, Spawar Command (NAVY), or prisons. The camera can also be found also as CCTV. All information presented in this …
Description of CVE-2018-0296 vulnerability – bypassing authorization in Cisco ASA web interface.
In this text we describe CVE-2018-0296 error concerning Cisco ASA devices, publicized 6th of June by Cisco. Officially, vulnerability was classified as Denial Of Service, although our report concerned a different type of error. More details below. A word of introduction:Cisco ASA device (Adaptive Security Appliance) is very popular and is often a part of …
BetterZip – from XSS to any code execution
XSS (Cross-Site Scripting) is one of the most popular vulnerabilities in the world of web applications. On the OWASP TOP 10 list it has been ranked first in terms of popularity for many years. Until now, XSS has usually been identified only in the world of browsers. However, due to the fact that HTML and …
Stealing Data in Great style – How to Use CSS to Attack Web Application.
This article will show you an example of how you can use the ability to inject your own CSS rules into a web application to exfiltrate data. This attack can be particularly practical for stealing tokens that protect against CSRF attacks. In this text we will see that CSS injections can be used to steal …
How to take over the CCTV camera
This time, we take a look at the camera Ganz Security – model ZN-M2F (price is about $650). We were able to get root privileges without authentication. Ganz Security? This is a company known in the West: The Ganz brand is currently used by more than 100,000 businesses and research and development institutions in the …
What is Path Traversal vulnerability?
Path Traversal attacks are performed when the vulnerable application allows uncontrolled access to files and directories, to which the user should not usually have access. The attack vector is the parameters passed on the application, representing paths to resources, on which specific operations are to be performed – reading, writing, listing the contents of the …
Testing applications for Android: analysis and changing the way applications work by using the Frida framework
What is Frida? Frida, as the website of this project says, is a world-class dynamic instrumentation framework. To simplify: a framework that will allow us to inject our own code into a working process (it can be a process on Android, but it also supports iOS, Windows, Linux or macOS), and then to control this …
Address bar spoofing in Chrome and Firefox – description of CVE-2017-5089 and CVE-2017-7763
In this article, I will show you how you could have previously performed “spoofing” of the address bar in Chrome and Firefox browsers. In other words, make the domain displayed in the browser’s address bar not the one where the user actually is. As a consequence, the attack can be used for phishing, for example, …
Security problems of Apache Cordova – steal the entire contents of the phone’s memory card with one XSS
There are many different technologies available on the mobile market that allow you to create applications. One of them – Apache Cordova – allows you to write applications in JavaScript and HTML. Applications created in this way are easy to distribute, and their operation does not differ from native applications written in Java or C. …
From the pentester library – several ways to raise privileges in Linux
From the text you will find out how: get information about the Linux system use the obtained information to search for local vulnerabilities take advantage of vulnerability (on the example of CVE-2016-5195 – Dirty COW) look for and take use of configuration errors In this article I would like to present how to convert the …
DoS attack on applications – through regular expressions
The American programmer, Jamie Zawinski, once said, “Some people, when they encounter a problem, think to themselves, ‘I know! I will use regular expressions.’ And now they have two problems.” In this article, we’ll see how true the words are if the regular expression has been spelled incorrectly, allowing the Denial-of-Service to be launched on …
Stealing tokens, hacking jQuery and bypassing Same-Origin Policy – how I won XSSMas Challenge 2016
In this article: You will learn an interesting way to read tokens from another domain. You will learn how to make XSS using jQuery. You will see how to break Same-Origin Policy using Flash. XSSMas Challenge is a challenge (in the style of CTF) organized for several years by Cure53. As you can guess from …
A few words about the implementation of SSL and TLS – part II
In the previous part, we got to know the theoretical premises to which attention should be paid when preparing for the implementation of SSL / TLS encryption mechanisms. In this part, we will try to focus on the configuration, which guarantees correct presentation of our website to visitors. 2.0 Using complete certificate chains Once, the …
Unordinary methods used in phishing attacks
Introduction In recent years phishing has evolved very much. The emergence of many new techniques – and therefore the modification of available solutions – has taken this type of attack to a higher level. Attackers increasingly use e-mail, websites or private messages in instant messengers to distribute it. In this article I will try to …
LDAP injection vulnerability – definitions, examples of attacks, methods of protection
What is LDAP? Lightweight Directory Access Protocol (LDAP) is a protocol that allows the exchange of information using the TCP/IP protocol. It is intended for the use of directory services; i.e., object-oriented databases representing network users and resources. LDAP is widely used in many services of which Microsoft’s Active Directory is probably most known. LDAP …
X-Forwarded-For header – security problems…
HTTP header: X-Forwarded-For (XFF) was originally introduced by a team of developers responsible for developing the Squid server as a method of identifying the original IP address of the client that connects to the web server through another proxy server or load balancer. Without using XFF or any other similar technique, any proxy connection would …
Reading Data Stored on Contactless Payment Cards
Do you know how to easily read your credit card details? Probably, you do, because for a few years now, a simple phone with an NFC reader has been enough to do this. On the market we can choose from many applications for different platforms that offer such a possibility. Today we will compare which …
Automatic Analysis of Malicious Software Using of SysAnalyzer
Beginning SysAnalyzer is an application (or rather a set) that allows for quick analysis of malware by observing its activities in different stages of the system. Before starting the “malicious sample”, the software creates a snapshot of the current state of our environment, which after starting the malware, is the basis for determining changes in …
A few words about the implementation of SSL and TLS – part I
SSL / TLS is a seemingly simple technique that ensures, among other things, protection of data. It guarantees the confidentiality of data transmission over the internet, while maintaining the simplicity of installation and operation—apart from situations when it is not. At the end of 2014, the giant from Mountain View, Google, reported that sites using …
WebSocket protocol security in practice
The dynamic development of web applications leads to a situation in which, for some time now, there has been a demand for the introduction of asynchronous data exchange between the client and the application server. The commonly used HTTP protocol is stateless, based on the query sent to the server and the answer given – …
Introduction to Zed Attack Proxy
In the basic version, it is a program that helps maintain HTTP and HTTPS traffic, allowing it to stop, edit and reject requests sent from the web browser. It is extremely useful for checking the behavior of the web application, after sending data other than what is allowed at the browser’s frontend. This can be …
Race Condition Attack – exemplary use in web application
Race Condition is a method of attack consisting of executing a query in a shorter time than the verification of the conditions of a given application action, e.g., when uploading files to the server, the time between saving the file on the disk and verifying its type or extension allows you to execute a query …
Generating WiFi communication in Scapy tool
Scapy and WiFi Scapy is a program used to manipulate packets. In this text I will show you how to use it for network communication in 802.11 standard. Fundamentals Messages exchanged between the access point and customers are formed into frames. Each standard frame has the following structure: MAC header: Frame control (version, type, subtype) …
Calculation of pseudo-random numbers generator state – on the example of Math. random() from Firefox
In this text: We will get to know how pseudo-random number generators operate We will learn how the XorShift128Plus algorithm, which is the basis of pseudo-random number generators in all the most popular browsers (Firefox, Chrome, Edge), works. We will get to know the Z3Prover tool, thanks to which we will be able to calculate …
What is the SSRF vulnerability (Server Side Request Forgery)?
A large part of web applications allows you to upload your own file to the server by providing the URL address, where it will be automatically downloaded to the server. In this article, we will discuss what problems may arise from such a solution. The article will be based on a simple functionality in the …
Bypassing the Same-origin policy in Firefox – detailed description (CVE-2015-7188)
In the third quarter of last year, I reported a security bug to Mozilla that allowed me to bypass Same Origin Policy (SOP) in Firefox. Due to this bug, it was possible to launch attacks by stealing data belonging to other domains. The source of the problem was a seemingly insignificant detail when parsing IP …
Google Caja and XSSs – how to get bounty three times for (almost) the same thing
In this article, I describe three XSSs that I reported to Google as part of their bug bounty program. All of them had their source in escaping of the sandbox in the Google Caja tool. Introduction At the beginning of this year, as my bug bounty target, I took the Google Docs applications. One of …
The new hack allows wireless opening of over 100 million cars: Audi, Skoda, various VW, Ford, Citroen.
TL; DR: As reported by Wired, nearly 100 million cars manufactured and owned by the Volkswagen group for the last 20 years can be opened wirelessly as a result of a hack. Just listen to the radio transmission when you open the car, process it… and voila. This was presented in detail at Usenix Conference …
Security of web applications: vulnerabilities in upload mechanisms
File upload is one of the most common functionalities in web applications. Typically, it involves uploading images or documents to the server. It is also a place that pentesters look for due to the numerous security errors in implementations. In this article, we will present the most common vulnerabilities and show how they can be …
Do you allow to load SVG files? You have XSS!
Uploading files by web application users creates many vulnerabilities. In this functionality, pentesters are looking for gaps leading to remote code execution on the server side. What if the upload of a new file resulted in the execution of a malicious JS script? Such opportunity provides SVG files that describe vector graphics in modern browsers. …
Linux security monitoring: auditd + OSSEC integration part I
This article is devoted to the integration of two well-known and proven open source tools for security monitoring: change audit software for Linux (auditd) and Host IDS OSSEC. The aim of this article is to learn the limitations and use the advantages of both of these tools so that by acting in tandem they can …
What is the CSRF (Cross-Site Request Forgery) vulnerability?
After reading the text, you will know: What CSRF vulnerability is. What the sample attack scenarios look like. How CSRF is used simultaneously with other vulnerabilities. How to protect yourself. Introduction CSRF (Cross-Site Request Forgery; alternatively used names: XSRF, session riding or one-click attack) is probably one of the least understood vulnerabilities described in the …
Quick malware analysis
Sometimes in an e-mail we receive something that catches our attention and causes the red lamp to flicker. This can be the sender’s address, a strange attachment or a link in the body of the message. Then we want to quickly and effectively find out what we are dealing with, especially if we suspect that …