SQL Injection Exploitation: Out-of-Band

Published on 26 January 2021

Out-of-band exploitation refers to exploits where the extracted information is received over a connection other than the one the payload was delivered over. It can be used to bypass defensive technologies as well as complicating the detection and response capability.

SQL Injection can be exploited out-of-band through protocols such as DNS in order to extract database contents. This is particularly useful as an alternative to Time-based exploitation where it can allow for faster extraction.

Read More...

Strong Passwords

Published on 23 January 2021

When performing security tests, we very often come across weak passwords. We often see dictionary words with suffixes such as Welcome1, Password123, or Lockdown2020. We also see "leet" substitutions, such as P@55w0rd, 3l3ph@nt, or L0ckd0wn.

In this post, we break down options for choosing more secure passwords.

Read More...

Preventing Windows Accounts Being Bruteforced

Published on 23 January 2021

In a previous article we discussed how bruteforcing Windows accounts is often easier than people expect. In this post - we'll cover some steps to harden these accounts.

Read More...

Securing Wi-Fi Networks

Published on 23 January 2021

We recently discussed how to break WPA2 keys very quickly using cloud computing. We've also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).

In this article we'll look at hardening Enterprise wireless networks from these attacks.

Read More...

Fixing SQL Injection

Published on 22 January 2021

SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query.

We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection.

Read More...

Fixing LLMNR and NetBIOS-NS Spoofing

Published on 21 January 2021

In our article LLMNR and NetBIOS-NS Spoofing with Responder we stepped you through how to exploit a very common issue on Windows networks. In this one, we’re going to cover how to fix it.

LLMNR and NetBIOS-NS are both a fallback for DNS and can be used to perform interception attacks, leading to credential theft or even command execution. However, these two articles are not commonly needed on networks and can therefore be safely disabled.

Read More...

Fixing DOM-Based XSS

Published on 25 October 2020

Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.

Read More...

Fixing Cross-site Scripting (XSS)

Published on 25 October 2020

This issue comes about where user supplied input is included within server responses without filtration or encoding.

One very effective method of preventing this attack is to use an allow-list (sometimes called a whitelist) which will allow only known good content. For example if your expected input is an integer and the user supplies anything other than an integer you can simply reject that input – and perhaps supply a message to inform the user what the issue is, without including the original payload.

Read More...

Extracting Domain Hashes: VSSAdmin

Published on 19 October 2020

We covered extracting domain hashes with Mimikatz  previously, but that's not always the best approach - for example where anti-virus is getting in the way. However there are other options for the same goal. This time around we'll take a look at using Vssadmin, a built-in Windows tool.

Read More...

XXE: XML External Entity Injection

Published on 19 October 2020

XML Entity Injection is a powerful vulnerability that can allow for confidential data theft and in rare cases command execution. It was also often overlooked for a whle - but now it features in the OWASP Top 10 as A4 it's a lot more well known.

Read More...