Published: 06 August 2021    Last Updated: 03 November 2022

I wanted to talk a little bit about the British Airways breach; I won’t be focusing on the intention to fine from the ICO. I’ll just be talking a little about vulnerabilities, how they can be addressed, and the issues mitigations may bright. I’ll also be talking about a security incident that hit the ICO and how it was potentially very similar to what happened to British Airways.

Published: 06 August 2021    Last Updated: 03 November 2022

In 2017 Equifax were breached, the breach was discovered on July 29^[5] and an announcement was published on Sept 7.^[5] It wasn’t the largest breach of all time, and not even of 2017, but it was big and the data was sensitive. Over the two weeks following the announcement, Equifax stock fell from 142.72 to 92.98 (34.58%)

In regards to large breaches, in the same year Yahoo “upgraded” their previous August 2013 breach to note that it now believed to have affected all 3 billion accounts held on their systems. This figure was up from the original reported 1 billion affected accounts.^[1][2][3] Yahoo noted that the stolen user information may have included names, email addresses, telephone numbers, dates of birth, MD5 hashes of passwords and in some cases encrypted or unencrypted security questions and answers.^[3]

Published: 06 August 2021    Last Updated: 03 November 2022

In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.

Published: 06 August 2021    Last Updated: 03 November 2022

Often abbreviated to CSRF and often pronounced as “Sea-Surf” is an attack against a Web Application that abuses an application’s trust in the user. An attacker’s aim is to cause a function to execute on the application using the user’s authentication credentials simply by causing the user’s browser to request that function in the normal way, but from a malicious site.

For example, a user navigates to a malicious site and this site in turn sends a request to the vulnerable function on the vulnerable web site. This is where “Cross-site” comes from, it is a malicious site sending a request to the vulnerable site.

Published: 06 August 2021    Last Updated: 03 November 2022

HTTP Strict Transport Security (HSTS) enforces the use of HTTPS in the web browser, ensuring that no information is sent to the domain (and optionally subdomains too), even if the user attempts to navigate to a HTTP page. This additionally mitigates the risk of cookies without the "secure" flag set, by enforcing all traffic is HTTPS only.

Published: 06 August 2021    Last Updated: 03 November 2022

Got a path/directory traversal or file disclosure vulnerability on a Windows-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!

The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:

Published: 06 August 2021    Last Updated: 03 November 2022

Got a path/directory traversal or file disclosure vulnerability on a Linux-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!

The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:

Published: 06 August 2021    Last Updated: 03 November 2022

In my introduction to hardware hacking, I mention that radio systems may be part of the attack surface for a hardware device penetration test. So I thought I’d give a gentle introduction to hacking with an SDR here!

Firstly, what’s an SDR? It stands for software-defined radio, and refers to a category of devices which allow you to interface with radio. There are a lot of SDR devices on the market to choose from when you first get started – a RTL-SDR can be picked up for £15 and devices from Ettus Research go well into the thousands of pounds.

Published: 06 August 2021    Last Updated: 03 November 2022

Logic Analyzers are inexpensive devices that allow you to just take a look at what a small number of pins on a chip are up to. They can be hooked into software like PulseView to read pin output and decode it into something more useful. Many decoders are available, but in this introduction we’ll have a quick look at PulseView and reading (decoding) UART data.

I’ve previously written about UART and how to find them with a JTAGulator, but here’s a different approach.

Published: 06 August 2021    Last Updated: 03 November 2022

UART stands for Universal Asynchronous Receiver/Transmitter, however in the context of Hardware Hacking we’re generally looking for an serial interface which will give us text output from the system and possibly allow for command input. The general intention from the manufacturers point of view – is to allow easy debugging, both out of the factor (to check the system is working as intended) and if a device is returned as broken.

As with JTAG, sometimes it’s conveniently highlighted on a target board for you, as with this example. The below photograph showing an exposed UART in yellow (and incidentally JTAG in red). Here it’s neatly placed to one side of the board to allow for easy access. That’s not necessarily the case, but either way you can find possible UART access with a JTAGulator, as I’ll show.

Published: 06 August 2021    Last Updated: 03 November 2022

So I’m playing around with a device right now and I’m currently pulling out the contents of its flash memory over SPI – so I figured I’d write a few notes about how to do just that!

Here’s what I’m playing with, in case you’re curious:

Published: 06 August 2021    Last Updated: 03 November 2022

JTAG is short for Joint Test Action Group and generally refers to on-chip debugging interfaces that follow the IEEE 1149.x standard. The standard doesn’t mandate a certain connection – it just dictates a standard for communicating with chips in a device. It uses 5 pins: TCK, TMS, TDI, TDO and (options) TRST; which are (Test) Clock, Mode Select, Data In, Data Out, and Reset.

It can be useful to hardware hackers in various ways, such as extracting device IDs, extracting firmware, overwriting memory.

Published: 06 August 2021    Last Updated: 03 November 2022

I previously mentioned dumping memory contents using SPI, with a BusPirate. Sometimes that’s not feasible – such as if the flash memory module is a little inaccessible and you’re not feeling like deconstructing the board just yet.

An alternative is to pull memory over JTAG. I talked about accessing JTAG and interacting with a chip using OpenOCD previously, however this time around I’d like to go a step further.

Published: 06 August 2021    Last Updated: 03 November 2022

Same-Origin Policy (SOP) is a critical part of the security implemented within a web browser. It’s the part of your browser’s security system that prevents malicious pages from reading confidential information from other sites. So thepiratebay.com can’t read data from barclays.com because it’s blocked by SOP.

The way that it works simply, is that pages of different origins can send requests to other domains, but not process their responses. Certain items aren’t covered by SOP, such as images and scripts – this is because these are considered assets to be used within an application and not considered to affect the security of that application.

Published: 06 August 2021    Last Updated: 03 November 2022

One method for escalating permission from Local/Domain User to Local Administrator, is "Unquoted Service paths". In my experience finding unquoted service paths is a common occurrence, however actually being able to exploit them is not. In this article we'll explore how to find these issues and how to quickly determine if they're exploitable or not.