Preventing Username Enumeration
Published: 01 December 2022 Last Updated: 05 July 2023
First of all, what is username enumeration? It is when a web application has a feature that allows a user to supply a username and the application will disclose (not necessarily intentionally) if the username is valid or not. This is closely related to Username Disclosure, except in the latter the application is including valid usernames in server responses in some way, which allows a threat actor to determine a username is valid without having to specify it first themselves. Both of these are an issue and both should be addressed.
Continue Reading
The OWASP Top 10
Published: 03 December 2021 Last Updated: 03 July 2023
The "OWASP Top 10", an awareness document that is updated roughly every three years and covers ten significant categories of vulnerabilities that organisations should be concerned about. The vulnerability categories are ordered based on a combination of potential impact, exploitability, and prevalence. The latest version was released in September 2021
Continue Reading
Path Traversal Cheat Sheet: Linux
Published: 06 August 2021 Last Updated: 03 July 2023
Got a path/directory traversal or file disclosure vulnerability on a Linux-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!
The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:
Continue Reading
CSRF: Cross-site Request Forgery
Published: 06 August 2021 Last Updated: 05 July 2023
Often abbreviated to CSRF and often pronounced as “Sea-Surf” is an attack against a Web Application that abuses an application’s trust in the user. A threat actor’s aim is to cause a function to execute on the application using the user’s authentication credentials simply by causing the user’s browser to request that function in the normal way, but from a malicious site.
For example, a user navigates to a malicious site and this site in turn sends a request to the vulnerable function on the vulnerable web site. This is where “Cross-site” comes from, it is a malicious site sending a request to the vulnerable site.
Continue Reading
IDOR: Insecure Direct Object Reference
Published: 06 August 2021 Last Updated: 03 July 2023
In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.
Continue Reading
HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities
Published: 06 August 2021 Last Updated: 05 July 2023
So by default SOP won’t allow bi-directional communications between two separate origins, however as applications scale up there may be a requirement to allow this kind of thing. Think of companies such as Google, who also owns YouTube – or Microsoft who also owns Outlook and Skype. They may well want inter-origin communications.
Continue Reading
HTTP Header Injection
Published: 06 August 2021 Last Updated: 05 July 2023
HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that a threat actor can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the server response header the attacker may be able to add crafted headers themselves. Header Injection can allow for attacks such as response splitting, session fixation, cross-site scripting, and malicious redirection.
Continue Reading
Exploiting SQL Injection with Sqlmap
Published: 07 June 2021 Last Updated: 03 July 2023
We've previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, SQL Injection can be time consuming to exploit, especially with slow extraction methods such as Time-based blind. However by automating exploitation can allow security testers to demonstrate the issue risk whilst freeing up time to check other areas of the assessment scope.
Continue Reading
Exploiting Path Traversal
Published: 07 June 2021 Last Updated: 05 July 2023
Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow an attacker to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and stored cross-site scripting attacks.
Continue Reading
SQL Injection: Filter Evasion with Sqlmap
Published: 07 June 2021 Last Updated: 03 July 2023
We've previously written about many different techniques for Finding and Exploiting SQL Injection vulnerabilities. However, there are often restrictions and interim technologies such as Web Application Firewalls that can prevent certain payloads from being used. In some instances filters can be bypassed through common encoding mechanisms, however often these will be ineffective and other methods much be used.
Continue Reading
Finding Command Injection
Published: 07 June 2021 Last Updated: 05 July 2023
Command Injection vulnerabilities occur where user supplied input is insecurely included within an operating system command, allowing a threat actor to execute additional commands or alter the syntax of the executed command. This vulnerability typically allows for confidential data theft and may allow a threat actor to target internal network connections for further attacks.
Continue Reading
SQL Injection Exploitation: Out-of-Band
Published: 26 January 2021 Last Updated: 03 July 2023
Out-of-band exploitation refers to exploits where the extracted information is received over a connection other than the one the payload was delivered over. It can be used to bypass defensive technologies as well as complicating the detection and response capability. SQL Injection can be exploited out-of-band through protocols such as DNS in order to extract database contents. This is particularly useful as an alternative to Time-based exploitation where it can allow for faster extraction. If you're new to this vulnerability, it's worth starting at SQL Injection basics first, before reading this article.
The idea behind out-of-band exploitation is fairly simple, instead of inferring content in the database through something like Boolean logic, you can request the target system transmit the information over protocols such as HTTP, SMB or DNS.
Continue Reading
Fixing SQL Injection
Published: 22 January 2021 Last Updated: 03 July 2023
SQL Injection is a vulnerability that occurs where user supplied input is insecurely concatenated into an SQL query. We showed how easy can be to detect in our Finding SQL Injection article, and we’ve run through exploitation in many posts such as our post on Exploiting Error-based SQL Injection.
However, in this post, we’re looking at fixing it. The fix is quite a simple code change. As the issue described is user input insecurely concatenated into a query, the remediation for SQL injection is fairly simple: don’t build queries through string concatenation. Instead, it’s more secure to use “Prepared Statements”, often called “Parameterized Queries”. All modern languages support this type of query either directly or through a framework; here we will supply a PHP example to show the difference.
Continue Reading
Fixing DOM-Based XSS
Published: 25 October 2020 Last Updated: 03 July 2023
Whilst Reflected and Stored XSS can generally be addressed through server-side user input encoding (such as through the PHP htmlentities() function) or with browser protections such as Content-Security-Policy – this is not sufficient for DOM-XSS.
Where a dangerous function is used, user input into that function should be limited through user input filtering. An allow-list approach of restricting user input to only known-good input should be used. For example, limiting input to the smallest number of characters possible (such as alphanumerics only) and checking the expected data type (such as limiting input to integers only). This is in contrast to a block-list of known-bad inputs being blocked, which is often less effective due to the large degree of flexibility that JavaScript allows. For a good example of this flexibility, consider something like JScrewIt.
Continue Reading
Fixing Cross-site Scripting (XSS)
Published: 25 October 2020 Last Updated: 03 July 2023
This issue comes about where user supplied input is included within server responses without filtration or encoding.
One very effective method of preventing this attack is to use an allow-list (sometimes called a whitelist) which will allow only known good content. For example, if your expected input is an integer and the user supplies anything other than an integer you can simply reject that input – and perhaps supply a message to inform the user what the issue is, without including the original payload.
Continue Reading