Articles

I’ve written a few articles recently about methods of escalating privileges on Windows machines, such as through DLL Hijacking and Unquoted Service Paths, so here I’m continuing the series with Privilege Escalation through Insecure Service configurations. This one’s pretty simple issue really, generally speaking it’s simply a matter of altering ...

Same-Origin Policy (SOP) is a critical part of the security implemented within a web browser. It’s the part of your browser’s security system that prevents malicious pages from reading confidential information from other sites. So thepiratebay.com can’t read data from barclays.com because it’s blocked by SOP. The way that it ...

Transport Layer Security (TLS), and its deprecated predecessor Secure Sockets Layer (SSL), are protocols that can be used to protect information in transit – and are the underlying protocols used by HTTPS to protect web traffic. They are designed to prevent a threat actor who is able to intercept messages from being ...

In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too. Consider a URL ...

Often abbreviated to CSRF and often pronounced as “Sea-Surf” is an attack against a Web Application that abuses an application’s trust in the user. A threat actor’s aim is to cause a function to execute on the application using the user’s authentication credentials simply by causing the user’s browser to ...

So by default SOP won’t allow bi-directional communications between two separate origins, however as applications scale up there may be a requirement to allow this kind of thing. Think of companies such as Google, who also owns YouTube – or Microsoft who also owns Outlook and Skype. They may well ...

HTML5 PostMessages (also known as: Web Messaging, or Cross Domain Messaging) is a method of passing arbitrary data between domains. However if not implemented correctly it can lead to sensitive information disclosure or cross-site scripting vulnerabilities as it leaves origin validation up to the developer! Pages can send messages with ...

Effectively filtering user input is one of the best ways to prevent an awful lot of web application vulnerabilities. There are several ways to approach this, each with their own pros and cons so I’ll run through them here and then you can think of the best way to combine ...

Following a successful penetration test, you may have large amounts of data to exfiltrate from an environment specifically hardened to make it difficult to exfiltrate data. For example, the network might have a firewall that explicitly blocks common exfiltration methods – such as SSH, HTTPS, HTTP. It is common that ...

I recently wrote an introduction to PenTesting an AWS Environment. A sensible place to start given that I included that in Q1 of 2018 Amazon holds a 33% market share in cloud whereas Microsoft only holds 13%. However I did want to add a few notes that are specific to PenTesting ...

# Comments # /* Comment */ — – ;%00   # Version SELECT VERSION(); SELECT @@VERSION; SELECT @@GLOBAL.VERSION;   # User details user() current_user() system_user() session_user() SELECT user,password FROM mysql.user;   # Database details SELECT db_name(); SELECT database(); SELECT schema_name FROM information_schema.schemata; # Database credentials SELECT host, user, password FROM mysql.user;   # Server ...

# Comments /* Comment /* — – # Version SELECT @@VERSION; SELECT version(); # User details current_user() suser_name() system_user() # Database details SELECT db_name(); # Database credentials SELECT name, password_hash FROM master.sys.sql_logins SELECT name + ‘-‘ + master.sys.fn_varbintohexstr(password_hash) from master.sys.sql_logins # Server details SELECT host_name(); # Table Name SELECT name ...

Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due ...

We’ve previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, ...

Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. Command Injection vulnerabilities occur where user supplied input is insecurely included within an operating system command, allowing a threat actor to execute additional commands or alter the syntax ...

We’ve previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ...

Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow a threat actor to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and ...

Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the ...

Certification Authority Authorization (CAA) is a used to specify which Certificate Authorities may issue certificates for the domain. Whilst lack of CAA does not constitute a vulnerability itself, it may be used to harden the transport layer security of an application by reducing the risk of certificates being mis-issued. Additionally, ...

Major outages in major public cloud providers such as Azure and AWS are rare, but they do happen. Today OVH had a major incident: “OVH datacenter burns down knocking major sites offline” and they’re not the only ones to experience these issues, for example Amazon had a major outage in November and Microsoft had ...

Out-of-band exploitation refers to exploits where the extracted information is received over a connection other than the one the payload was delivered over. It can be used to bypass defensive technologies as well as complicating the detection and response capability. SQL Injection can be exploited out-of-band through protocols such as ...

In a previous article we discussed how bruteforcing Windows accounts is often easier than people expect. In this post – we’ll cover some steps to harden these accounts. The Observation Window When configuring an account lockout threshold on a Domain another setting is suggested, the observation window. This setting effectively reduces the ...

When performing security tests, we very often come across weak passwords. We often see dictionary words with suffixes such as Welcome1, Password123, or Lockdown2020. We also see “leet” substitutions, such as P@55w0rd, 3l3ph@nt, or L0ckd0wn. We’ve previously shown how quickly password cracking can be performed. With passwords like the above they ...

We recently discussed how to break WPA2 keys very quickly using cloud computing. We’ve also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP). In this article we’ll look at hardening Enterprise wireless networks from these attacks. The most secure option is to utilise ...

SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query. We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection. However, in this ...