In many situations, minor vulnerabilities might seem like small fish in the vast ocean of cybersecurity threats. They’re often marked as low severity and thus, overlooked by developers who assume that the conditions for their exploitation are too complicated to be met. However, in this article, we’re going to challenge that assumption and show you …
Category: Education
XSS in WordPress via open embed auto discovery
Introduction Users often assume that known software is free of security flaws because it has been checked by a sufficient number of tools and security testers. However, this is not an assumption that a pentester or bug hunter can afford to make. Vulnerabilities may lurk in various places, and finding an interesting bug often requires …
How to access data secured with BitLocker? Do a system update
Do you suffer from eternal lack of time for system updates? Finally managed to find a moment to install them, but you didn’t finish the whole process because you had to run out of the office? Is your data safe? Read this article to find out. As always in the IT world, it is difficult …
Amazon once again lost control (for 3 hours) over the IP pool in a BGP Hijacking attack
Last month, Amazon lost control of its cloud-based IP address pool for more than three hours, which allowed cyber criminals to steal $235,000 from users of one of AWS’s customers. Using BGP hijacking, hackers gained control over a pool of 256 IP addresses. Briefly describing the BGP protocol, it is a backbone – the basis …
PyScript – or rather Python in your browser + what can be done with it?
PyScript – or rather Python in your browser + what can be done with it? A few days ago, the Anaconda project announced the PyScript framework, which allows Python code to be executed directly in the browser. Additionally, it also covers its integration with HTML and JS code. An execution of the Python code in …
Part 3. Windows security: reconnaissance of Active Directory environment with BloodHound.
Collecting information about the domain environment with SharpHound A program that collects domain environment data – SharpHound is a component of the BloodHound tool. The collection of environmental data starts when SharpHound.exe is run on one of the computers. The entire BloodHound package can be downloaded (Figure 32) from the address: https://github.com/BloodHoundAD/BloodHound/releases After downloading and …
Part 1. Windows security: reconnaissance of Active Directory environment with BloodHound.
Windows security: reconnaissance of Active Directory environment with BloodHound. In this article we will take a closer look at the BloodHound tool – Six Degrees of Domain Admin. The application was developed in JavaScript and built using the Electron platform. The graphical visualization uses the Neo4j database. During the experiment, we will use a Windows …
Part 1. Windows security – what is LSASS dump. How to protect against it?
Windows security – what is LSASS dump. How to protect against it? The ability of Advanced Persistent Threat (APT) groups and other threat actors to take a dump of Windows credentials is a serious threat especially to enterprises and other organizations. The MITRE ATT&CK knowledge base, which is created primarily to support defense against cyber …
Remote code execution by fail2ban
In this article we will discuss a recently published vulnerability in quite popular software – fail2ban (CVE-2021-32749). Under the right conditions, this bug could be exploited to achieve code execution with root privileges. Luckily, it is difficult for a “normal” attacker to achieve. This vulnerability is rooted in a way the mail command from the …
Detecting threats to wireless networks with a free IDS-class tool: nzyme
Nzyme is a new Open Source software, created in a spare time by CTO Graylog Lennart Koopmann. In March this year, version 1.0 of “Kyle Canyon” was released. Nzyme is used to detect threats to wireless networks and belongs to the family of Wireless Intrusion Detection System (WIDS). This is probably the most interesting and …
Is running legacy software with no publicly known exploits safe?
There is a lot of legacy software running all over the network. This is an excellent example of technological debt. And the debt means that we are borrowing. We borrow time before compromise. It’s quite easy to identify that some software or system is outdated and no longer supported. Yet, it seems that no one …
How to secure WordPress – step by step guide
The decision about which software we will use for a selected purpose is often made on the basis of an analysis of the time needed for its implementation and the total number of functions that this system will provide us with. However, it is likely that where comfort and time is a priority, safety will …
Protecting against social engineering-based attacks – an introduction
On designing or analyzing the security in IT systems an important question which has to be taken into account, aside from the wide range of digital security solutions, is the fact that one of the key elements of each and every system is its interaction with the user. Unfortunately, in the prevailing number of cases …
JWT (JSON Web Token) (in)security
JWT (JSON Web Token) is a mechanism that is often used in REST APIs it can be found in popular standards, such as OpenID Connect, but we will also encounter it sometimes using OAuth2. It is used both in large companies and smaller organisations. There are many libraries available that support JWT, and the standard …
HTTP 2 protocol – it is faster, but is it also safer?
Do we want the current web applications to run faster without additional expenditures on better network connection or server infrastructure? Yes, of course, and that was the main goal for the developers of the HTTP/2 protocol. To be more precise, it was about increasing the efficiency of communication between the client (in other words, the …
Basics of HTTP Protocol
Introduction HTTP headers, URLs, URIs, requests, responses, percentage encodings, HTML forms, parameters sent by the HTTP protocol, various HTTP server implementations resulting in security problems – these are just a few elements that I will address in this text. The beginner readers will learn the necessary basics to further explore the subject of web applications …
IT Infrastructure Reconnaissance – Part 3
In the previous parts of this series, I talked about various types of web engines useful in reconnaissance phase, and curiosities, which can be found with their help. During real tests, it can be different; sometimes, this phase can create critical errors. Often, however, it is possible to obtain only residual information about the target …
Nmap and 12 useful NSE scripts
Nmap is the most popular free security scanner developed by Gordon Lyon (f.f. Fyodor Vaskovich). The first version of Nmapa was published on October 1, 1997, in the online magazine, Phrack. For those interested in the beginnings of this scanner, here is a full article that shows the capabilities and source code of the first …
IT Infrastructure Reconnaissance – Part 2 (Shodan, Censys, ZoomEye)
In the first part of this series I discussed the use of search engines as a source of information in the initial phase of the reconnaissance. As I mentioned in that article, search engines such as Google, Yahoo and Bing can allow you to search for information critical to security tests. The information presented below …
IT infrastructure reconnaissance – part 1 (Google hacking)
The basis of web application or infrastructure security tests is a reconnaissance, i.e. the collection of all subdomains, IP addresses, and other publicly available information. It is a good practice to use several tools simultaneously during the reconnaissance, which of course, will greatly increase the effectiveness of this testing phase – information omitted by one …
Why you can not always trust web server logs?
Sketching the situation Let’s suppose we do a server post-breach analysis and manage to state the following: external access is possible only through a web application, and the web server is running with the privileges of an unprivileged user, the application is out-of-date and contains publicly known RCE vulnerability (remote code execution), the access_log, error_log …
What is Path Traversal vulnerability?
Path Traversal attacks are performed when the vulnerable application allows uncontrolled access to files and directories, to which the user should not usually have access. The attack vector is the parameters passed on the application, representing paths to resources, on which specific operations are to be performed – reading, writing, listing the contents of the …
Testing applications for Android: analysis and changing the way applications work by using the Frida framework
What is Frida? Frida, as the website of this project says, is a world-class dynamic instrumentation framework. To simplify: a framework that will allow us to inject our own code into a working process (it can be a process on Android, but it also supports iOS, Windows, Linux or macOS), and then to control this …
From the pentester library – several ways to raise privileges in Linux
From the text you will find out how: get information about the Linux system use the obtained information to search for local vulnerabilities take advantage of vulnerability (on the example of CVE-2016-5195 – Dirty COW) look for and take use of configuration errors In this article I would like to present how to convert the …
DoS attack on applications – through regular expressions
The American programmer, Jamie Zawinski, once said, “Some people, when they encounter a problem, think to themselves, ‘I know! I will use regular expressions.’ And now they have two problems.” In this article, we’ll see how true the words are if the regular expression has been spelled incorrectly, allowing the Denial-of-Service to be launched on …
A few words about the implementation of SSL and TLS – part II
In the previous part, we got to know the theoretical premises to which attention should be paid when preparing for the implementation of SSL / TLS encryption mechanisms. In this part, we will try to focus on the configuration, which guarantees correct presentation of our website to visitors. 2.0 Using complete certificate chains Once, the …
Unordinary methods used in phishing attacks
Introduction In recent years phishing has evolved very much. The emergence of many new techniques – and therefore the modification of available solutions – has taken this type of attack to a higher level. Attackers increasingly use e-mail, websites or private messages in instant messengers to distribute it. In this article I will try to …
LDAP injection vulnerability – definitions, examples of attacks, methods of protection
What is LDAP? Lightweight Directory Access Protocol (LDAP) is a protocol that allows the exchange of information using the TCP/IP protocol. It is intended for the use of directory services; i.e., object-oriented databases representing network users and resources. LDAP is widely used in many services of which Microsoft’s Active Directory is probably most known. LDAP …
X-Forwarded-For header – security problems…
HTTP header: X-Forwarded-For (XFF) was originally introduced by a team of developers responsible for developing the Squid server as a method of identifying the original IP address of the client that connects to the web server through another proxy server or load balancer. Without using XFF or any other similar technique, any proxy connection would …
Reading Data Stored on Contactless Payment Cards
Do you know how to easily read your credit card details? Probably, you do, because for a few years now, a simple phone with an NFC reader has been enough to do this. On the market we can choose from many applications for different platforms that offer such a possibility. Today we will compare which …
Automatic Analysis of Malicious Software Using of SysAnalyzer
Beginning SysAnalyzer is an application (or rather a set) that allows for quick analysis of malware by observing its activities in different stages of the system. Before starting the “malicious sample”, the software creates a snapshot of the current state of our environment, which after starting the malware, is the basis for determining changes in …
A few words about the implementation of SSL and TLS – part I
SSL / TLS is a seemingly simple technique that ensures, among other things, protection of data. It guarantees the confidentiality of data transmission over the internet, while maintaining the simplicity of installation and operation—apart from situations when it is not. At the end of 2014, the giant from Mountain View, Google, reported that sites using …
WebSocket protocol security in practice
The dynamic development of web applications leads to a situation in which, for some time now, there has been a demand for the introduction of asynchronous data exchange between the client and the application server. The commonly used HTTP protocol is stateless, based on the query sent to the server and the answer given – …
Introduction to Zed Attack Proxy
In the basic version, it is a program that helps maintain HTTP and HTTPS traffic, allowing it to stop, edit and reject requests sent from the web browser. It is extremely useful for checking the behavior of the web application, after sending data other than what is allowed at the browser’s frontend. This can be …
Race Condition Attack – exemplary use in web application
Race Condition is a method of attack consisting of executing a query in a shorter time than the verification of the conditions of a given application action, e.g., when uploading files to the server, the time between saving the file on the disk and verifying its type or extension allows you to execute a query …
Generating WiFi communication in Scapy tool
Scapy and WiFi Scapy is a program used to manipulate packets. In this text I will show you how to use it for network communication in 802.11 standard. Fundamentals Messages exchanged between the access point and customers are formed into frames. Each standard frame has the following structure: MAC header: Frame control (version, type, subtype) …
Calculation of pseudo-random numbers generator state – on the example of Math. random() from Firefox
In this text: We will get to know how pseudo-random number generators operate We will learn how the XorShift128Plus algorithm, which is the basis of pseudo-random number generators in all the most popular browsers (Firefox, Chrome, Edge), works. We will get to know the Z3Prover tool, thanks to which we will be able to calculate …
What is the SSRF vulnerability (Server Side Request Forgery)?
A large part of web applications allows you to upload your own file to the server by providing the URL address, where it will be automatically downloaded to the server. In this article, we will discuss what problems may arise from such a solution. The article will be based on a simple functionality in the …
The new hack allows wireless opening of over 100 million cars: Audi, Skoda, various VW, Ford, Citroen.
TL; DR: As reported by Wired, nearly 100 million cars manufactured and owned by the Volkswagen group for the last 20 years can be opened wirelessly as a result of a hack. Just listen to the radio transmission when you open the car, process it… and voila. This was presented in detail at Usenix Conference …
Security of web applications: vulnerabilities in upload mechanisms
File upload is one of the most common functionalities in web applications. Typically, it involves uploading images or documents to the server. It is also a place that pentesters look for due to the numerous security errors in implementations. In this article, we will present the most common vulnerabilities and show how they can be …
Do you allow to load SVG files? You have XSS!
Uploading files by web application users creates many vulnerabilities. In this functionality, pentesters are looking for gaps leading to remote code execution on the server side. What if the upload of a new file resulted in the execution of a malicious JS script? Such opportunity provides SVG files that describe vector graphics in modern browsers. …
Linux security monitoring: auditd + OSSEC integration part I
This article is devoted to the integration of two well-known and proven open source tools for security monitoring: change audit software for Linux (auditd) and Host IDS OSSEC. The aim of this article is to learn the limitations and use the advantages of both of these tools so that by acting in tandem they can …
What is the CSRF (Cross-Site Request Forgery) vulnerability?
After reading the text, you will know: What CSRF vulnerability is. What the sample attack scenarios look like. How CSRF is used simultaneously with other vulnerabilities. How to protect yourself. Introduction CSRF (Cross-Site Request Forgery; alternatively used names: XSRF, session riding or one-click attack) is probably one of the least understood vulnerabilities described in the …
Quick malware analysis
Sometimes in an e-mail we receive something that catches our attention and causes the red lamp to flicker. This can be the sender’s address, a strange attachment or a link in the body of the message. Then we want to quickly and effectively find out what we are dealing with, especially if we suspect that …