JWT (JSON Web Token) (in)security

JWT (JSON Web Token) is a mechanism that is often used in REST APIs it can be found in popular standards, such as OpenID Connect, but we will also encounter it sometimes using OAuth2. It is used both in large companies and smaller organisations. There are many libraries available that support JWT, and the standard …

Write-up of DOMPurify 2.0.0 bypass using mutation XSS

Yesterday, a new version of DOMPurify (very popular XSS sanitization library) was released, that fixed a bypass reported by us. In this post I’ll show how exactly the bypass looked like preceded by general information about DOMPurify and how it works. If you are aware of how purifiers work and what mXSS is – you …

Security analysis of <portal> element

Portal is a fairly new HTML element that is currently supported only in Chrome Canary behind the #enable-portals flag. Their main objective is to enable seamless transitions to the web by pre-rendering content in an iframe-like element that can be then “promoted” (activated) to a top-level frame. In this article we focus of security analysis thereof.

HTTP 2 protocol – it is faster, but is it also safer?

Do we want the current web applications to run faster without additional expenditures on better network connection or server infrastructure? Yes, of course, and that was the main goal for the developers of the HTTP/2 protocol. To be more precise, it was about increasing the efficiency of communication between the client (in other words, the …

Basics of HTTP Protocol

Introduction HTTP headers, URLs, URIs, requests, responses, percentage encodings, HTML forms, parameters sent by the HTTP protocol, various HTTP server implementations resulting in security problems – these are just a few elements that I will address in this text. The beginner readers will learn the necessary basics to further explore the subject of web applications …

IT Infrastructure Reconnaissance – Part 3

In the previous parts of this series, I talked about various types of web engines useful in reconnaissance phase, and curiosities, which can be found with their help. During real tests, it can be different; sometimes, this phase can create critical errors. Often, however, it is possible to obtain only residual information about the target …

Another XSS in Google Colaboratory

Three months ago I described XSS which I found in Google Colaboratory. Before you start reading this article, I recommend you go back to the previous one first, because I am going to develop the topic which started there. In a nutshell, however, what previously happened: I was looking for XSS in Google Colaboratory (an …

Nmap and 12 useful NSE scripts

Nmap is the most popular free security scanner developed by Gordon Lyon (f.f. Fyodor Vaskovich). The first version of Nmapa was published on October 1, 1997, in the online magazine, Phrack. For those interested in the beginnings of this scanner, here is a full article that shows the capabilities and source code of the first …

IT infrastructure reconnaissance – part 1 (Google hacking)

The basis of web application or infrastructure security tests is a reconnaissance, i.e. the collection of all subdomains, IP addresses, and other publicly available information. It is a good practice to use several tools simultaneously during the reconnaissance, which of course, will greatly increase the effectiveness of this testing phase – information omitted by one …

Why you can not always trust web server logs?

Sketching the situation Let’s suppose we do a server post-breach analysis and manage to state the following: external access is possible only through a web application, and the web server is running with the privileges of an unprivileged user, the application is out-of-date and contains publicly known RCE vulnerability (remote code execution), the access_log, error_log …

Single Code Line CCTV Camera Takeover – One Can Record Audio/Video/Have Access to Recordings

I have already presented this subject twice, but there was no information on the topic until now. The Ganzsecurity ZN-DNT352XE-MIR camera is worth about 5000 PLN. Securitum provides solutions to organisations such as NY Police, FBI, Spawar Command (NAVY), or prisons. The camera can also be found also as CCTV. All information presented in this …

Description of CVE-2018-0296 vulnerability – bypassing authorization in Cisco ASA web interface.

In this text we describe CVE-2018-0296 error concerning Cisco ASA devices, publicized 6th of June by Cisco. Officially, vulnerability was classified as Denial Of Service, although our report concerned a different type of error. More details below. A word of introduction:Cisco ASA device (Adaptive Security Appliance) is very popular and is often a part of …

BetterZip – from XSS to any code execution

XSS (Cross-Site Scripting) is one of the most popular vulnerabilities in the world of web applications. On the OWASP TOP 10 list it has been ranked first in terms of popularity for many years. Until now, XSS has usually been identified only in the world of browsers. However, due to the fact that HTML and …

How to take over the CCTV camera

This time, we take a look at the camera Ganz Security – model ZN-M2F (price is about $650). We were able to get root privileges without authentication. Ganz Security? This is a company known in the West: The Ganz brand is currently used by more than 100,000 businesses and research and development institutions in the …

What is Path Traversal vulnerability?

Path Traversal attacks are performed when the vulnerable application allows uncontrolled access to files and directories, to which the user should not usually have access. The attack vector is the parameters passed on the application, representing paths to resources, on which specific operations are to be performed – reading, writing, listing the contents of the …

Testing applications for Android: analysis and changing the way applications work by using the Frida framework

What is Frida? Frida, as the website of this project says, is a world-class dynamic instrumentation framework. To simplify: a framework that will allow us to inject our own code into a working process (it can be a process on Android, but it also supports iOS, Windows, Linux or macOS), and then to control this …

Security problems of Apache Cordova – steal the entire contents of the phone’s memory card with one XSS

There are many different technologies available on the mobile market that allow you to create applications. One of them – Apache Cordova – allows you to write applications in JavaScript and HTML. Applications created in this way are easy to distribute, and their operation does not differ from native applications written in Java or C. …

DoS attack on applications – through regular expressions

The American programmer, Jamie Zawinski, once said, “Some people, when they encounter a problem, think to themselves, ‘I know! I will use regular expressions.’ And now they have two problems.” In this article, we’ll see how true the words are if the regular expression has been spelled incorrectly, allowing the Denial-of-Service to be launched on …

Unordinary methods used in phishing attacks

Introduction In recent years phishing has evolved very much. The emergence of many new techniques – and therefore the modification of available solutions – has taken this type of attack to a higher level. Attackers increasingly use e-mail, websites or private messages in instant messengers to distribute it. In this article I will try to …

LDAP injection vulnerability – definitions, examples of attacks, methods of protection

What is LDAP? Lightweight Directory Access Protocol (LDAP) is a protocol that allows the exchange of information using the TCP/IP protocol. It is intended for the use of directory services; i.e., object-oriented databases representing network users and resources. LDAP is widely used in many services of which Microsoft’s Active Directory is probably most known. LDAP …

X-Forwarded-For header – security problems…

HTTP header: X-Forwarded-For (XFF) was originally introduced by a team of developers responsible for developing the Squid server as a method of identifying the original IP address of the client that connects to the web server through another proxy server or load balancer. Without using XFF or any other similar technique, any proxy connection would …

Reading Data Stored on Contactless Payment Cards

Do you know how to easily read your credit card details? Probably, you do, because for a few years now, a simple phone with an NFC reader has been enough to do this. On the market we can choose from many applications for different platforms that offer such a possibility. Today we will compare which …

Automatic Analysis of Malicious Software Using of SysAnalyzer

Beginning SysAnalyzer is an application (or rather a set) that allows for quick analysis of malware by observing its activities in different stages of the system. Before starting the “malicious sample”, the software creates a snapshot of the current state of our environment, which after starting the malware, is the basis for determining changes in …

A few words about the implementation of SSL and TLS – part I

SSL / TLS is a seemingly simple technique that ensures, among other things, protection of data. It guarantees the confidentiality of data transmission over the internet, while maintaining the simplicity of installation and operation—apart from situations when it is not. At the end of 2014, the giant from Mountain View, Google, reported that sites using …

WebSocket protocol security in practice

The dynamic development of web applications leads to a situation in which, for some time now, there has been a demand for the introduction of asynchronous data exchange between the client and the application server. The commonly used HTTP protocol is stateless, based on the query sent to the server and the answer given – …

Introduction to Zed Attack Proxy

In the basic version, it is a program that helps maintain HTTP and HTTPS traffic, allowing it to stop, edit and reject requests sent from the web browser. It is extremely useful for checking the behavior of the web application, after sending data other than what is allowed at the browser’s frontend. This can be …

Generating WiFi communication in Scapy tool

Scapy and WiFi Scapy is a program used to manipulate packets. In this text I will show you how to use it for network communication in 802.11 standard. Fundamentals Messages exchanged between the access point and customers are formed into frames. Each standard frame has the following structure: MAC header: Frame control (version, type, subtype) …

Calculation of pseudo-random numbers generator state – on the example of Math. random() from Firefox

In this text: We will get to know how pseudo-random number generators operate We will learn how the XorShift128Plus algorithm, which is the basis of pseudo-random number generators in all the most popular browsers (Firefox, Chrome, Edge), works. We will get to know the Z3Prover tool, thanks to which we will be able to calculate …

Do you allow to load SVG files? You have XSS!

Uploading files by web application users creates many vulnerabilities. In this functionality, pentesters are looking for gaps leading to remote code execution on the server side. What if the upload of a new file resulted in the execution of a malicious JS script? Such opportunity provides SVG files that describe vector graphics in modern browsers. …

What is the CSRF (Cross-Site Request Forgery) vulnerability?

After reading the text, you will know: What CSRF vulnerability is. What the sample attack scenarios look like. How CSRF is used simultaneously with other vulnerabilities. How to protect yourself. Introduction CSRF (Cross-Site Request Forgery; alternatively used names: XSRF, session riding or one-click attack) is probably one of the least understood vulnerabilities described in the …

Quick malware analysis

Sometimes in an e-mail we receive something that catches our attention and causes the red lamp to flicker. This can be the sender’s address, a strange attachment or a link in the body of the message. Then we want to quickly and effectively find out what we are dealing with, especially if we suspect that …