Hackers on Hackers
Published: 30 October 2016
So it’s 10:30pm on a Sunday and the wonderful Jake Davis has asked me to give my thoughts on the ludicrous movie that is “Hackers” (1995). It’s been years since I watched it, so I broke out the popcorn…
“Hackers” is a movie that I hold fondly in my heart for disregarding all realism and jumping straight in to Hollywood style hacking scenes; It shows hacking more like black magic and spell-casting than the realistic 14 hours staring at green text on a black background scenes I see in my day job as an ethical Hacker.
Continue Reading
Strong Passwords: The Problem with Rotation
Published: 10 June 2021
Password rotation has previously been included within best practice guides as a method of minimising the risk of compromised passwords being valid at the time a threat actor attempts to use them. Recent research has indicated that the enforcing password rotation is linked to increased risk of weak passwords, due to users selecting passwords based on patterns - such as `Password1`, `Password2`, `Password3`, or patterns such as `Summer 2021`, `Autumn 2021`, `Winter 2021`.
Continue Reading
Exploiting Path Traversal
Published: 07 June 2021
Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow an attacker to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and stored cross-site scripting attacks.
Continue Reading
Exploiting SQL Injection with Sqlmap
Published: 07 June 2021
We've previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, SQL Injection can be time consuming to exploit, especially with slow extraction methods such as Time-based blind. However by automating exploitation can allow security testers to demonstrate the issue risk whilst freeing up time to check other areas of the assessment scope.
Continue Reading
SQL Injection: Filter Evasion with Sqlmap
Published: 07 June 2021
We've previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ineffective and other methods much be used.
Continue Reading
Finding Command Injection
Published: 07 June 2021
Command Injection vulnerabilities occur where user supplied input is insecurely included within an operating system command, allowing an attacker to execute additional commands or alter the syntax of the executed command. This vulnerability typically allows for confidential data theft and may allow a threat actor to target internal network connections for further attacks.
Continue Reading
Strong Passwords: The Problem with Complexity
Published: 07 June 2021
Weak passwords are those which are predictable and can be easily guessed. To ensure that users do not select weak passwords organisations may look to enforce password complexity. Complexity refers to the requirement to use a mixed character set. For example, on Active Directory accounts complexity requires three of the four: uppercase, lowercase, numbers, and symbols. However it is still possible to select weak passwords with complexity enabled, such as `Welcome!`, `Summer2020`, or `Password123456`.
Continue Reading
Implementing Sub-resource Integrity
Published: 31 May 2021
Hosting web application content such as dynamic scripts and stylesheets on third parties such as Content Delivery Networks (CDNs) can allow for significant improvements to site performance and can reduce bandwidth costs. However, scripts included within a web application will execute within the user's browser with the same privileges as the currently logged in user. Therefore if a script is included from an external domain, that domain is trusted with the confidentiality and integrity of data stored within the application.
Continue Reading
Implementing Certification Authority Authorization (CAA)
Published: 14 April 2021
Certification Authority Authorization (CAA) is a used to specify which Certificate Authorities may issue certificates for the domain. Whilst lack of CAA does not constitute a vulnerability itself, it may be used to harden the transport layer security of an application by reducing the risk of certificates being mis-issued. Additionally, it can be used to notify the application owner when a mis-issue is detected and prevented through CAA.
Continue Reading
Controlled Chaos
Published: 10 March 2021
Major outages in major public cloud providers such as Azure and AWS are rare, but they do happen. Today OVH had a major incident: “OVH datacenter burns down knocking major sites offline” and they’re not the only ones to experience these issues, for example Amazon had a major outage in November and Microsoft had one in September.
This prompted me to write up an article on Akimbo’s recent work building resilience into our platform, so today I’m going to talk a little bit about a couple of the features of AWS that allow for significant resilience and I’m going to do that by running you through my recent experiments on our platform which can be roughly summarised as “Turning things off to see what breaks.”
Continue Reading
SQL Injection Exploitation: Out-of-Band
Published: 26 January 2021
Out-of-band exploitation refers to exploits where the extracted information is received over a connection other than the one the payload was delivered over. It can be used to bypass defensive technologies as well as complicating the detection and response capability. SQL Injection can be exploited out-of-band through protocols such as DNS in order to extract database contents. This is particularly useful as an alternative to Time-based exploitation where it can allow for faster extraction. If you're new to this vulnerability, it's worth starting at SQL Injection basics first, before reading this article.
The idea behind out-of-band exploitation is fairly simple, instead of inferring content in the database through something like Boolean logic, you can request the target system transmit the information over protocols such as HTTP, SMB or DNS.
Continue Reading
Strong Passwords: Three Random Words
Published: 23 January 2021
When performing security tests, we very often come across weak passwords. We often see dictionary words with suffixes such as Welcome1, Password123, or Lockdown2020. We also see "leet" substitutions, such as P@55w0rd, 3l3ph@nt, or L0ckd0wn. We've previously shown how quickly password cracking can be performed. With passwords like the above they would be cracked easily. Simple protections such as "Password complexity" don't solve the problem on their own, for example complexity enforces the requirement for three of the following: uppercase, lowercase, numbers, and symbols - which all of the weak options above meet.
Continue Reading
Preventing Windows Accounts Being Bruteforced
Published: 23 January 2021
In a previous article we discussed how bruteforcing Windows accounts is often easier than people expect. In this post - we'll cover some steps to harden these accounts.
The Observation Window
When configuring an account lockout threshold on a Domain another setting is suggested, the observation window. This setting effectively reduces the protection of the account lockout by setting a timer. For example, a lockout threshold of 5 and an observation window of 30 minutes has the impact of meaning that if an attacker attempts 5 incorrect passwords within 30 minutes the account will lock - but four passwords would not cause it to lock.
Therefore, an attacker could attempt 4 passwords every 30 minutes - or 192 per account per day, without locking any accounts.
Continue Reading
Securing Wi-Fi Networks
Published: 23 January 2021
We recently discussed how to break WPA2 keys very quickly using cloud computing. We've also looked at how to use a Rogue AP to capture user credentials from a network using PEAP (MSCHAP).
In this article we'll look at hardening Enterprise wireless networks from these attacks.
The most secure option is to utilise mutual authentication (where both the server and the client authenticate to each other) using digital certificate based authentication, such as offered by EAP-TLS. However, there can be more administrative overhead involved in the deployment of these networks and therefore PEAP may be offer a balance of security and overhead.
To be clear, we recommend the use of EAP-TLS wherever possible - but if you must use PEAP, we offer the following hardening steps:
Continue Reading
Fixing SQL Injection
Published: 22 January 2021
SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query. We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection.
However, in this post, we’re looking at fixing it. The fix is quite a simple code change. As the issue described is user input insecurely concatenated into a query, the remediation for SQL injection is fairly simple: don’t build queries through string concatenation. Instead, it’s more secure to use “Prepared Statements”, often called “Parameterized Queries”. All modern languages support this type of query either directly or through a framework; here we will supply a PHP example to show the difference.
Continue Reading