Preventing Username Enumeration
Published: 01 December 2022 Last Updated: 05 July 2023
First of all, what is username enumeration? It is when a web application has a feature that allows a user to supply a username and the application will disclose (not necessarily intentionally) if the username is valid or not. This is closely related to Username Disclosure, except in the latter the application is including valid usernames in server responses in some way, which allows a threat actor to determine a username is valid without having to specify it first themselves. Both of these are an issue and both should be addressed.
Continue Reading
HTTP Security Headers: X-Frame-Options
Published: 21 February 2022 Last Updated: 03 July 2023
The X-Frame-Options header can be used to specify whether a web browser should be allowed to render the target page in a frame (such as a frame, iframe, embed, or an object tag). This can be used to prevent attacks such as ClickJacking.
Continue Reading
HTTP Security Headers: Cache-Control
Published: 21 February 2022 Last Updated: 03 July 2023
The Cache-Control HTTP server response header specifies whether the server response can be cached by the web browser and any interim devices such as web proxies. Generally, if the content of the page includes confidential information, then it should not be cached, as if confidential information is cached on user's device, and that device is a public device, or shared with other users then the information may be compromised by another user with access to the device.
Continue Reading
The OWASP Top 10
Published: 03 December 2021 Last Updated: 03 July 2023
The "OWASP Top 10", an awareness document that is updated roughly every three years and covers ten significant categories of vulnerabilities that organisations should be concerned about. The vulnerability categories are ordered based on a combination of potential impact, exploitability, and prevalence. The latest version was released in September 2021
Continue Reading
ScotSoft: Building and Breaking Web Applications
Published: 11 October 2021 Last Updated: 03 July 2023
On October 7th I had the pleasure of speaking at ScotSoft 2021 about Penetration Testing and breaking Web Applications. I've included my slides from the presentation and some speaker notes on the content covered here.
Continue Reading
Path Traversal Cheat Sheet: Linux
Published: 06 August 2021 Last Updated: 03 July 2023
Got a path/directory traversal or file disclosure vulnerability on a Linux-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!
The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:
Continue Reading
Path Traversal Cheat Sheet: Windows
Published: 06 August 2021 Last Updated: 03 July 2023
Got a path/directory traversal or file disclosure vulnerability on a Windows-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know!
The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:
Continue Reading
HTTP Security Headers: Strict-Transport-Security
Published: 06 August 2021 Last Updated: 05 July 2023
HTTP Strict Transport Security (HSTS) enforces the use of HTTPS in the web browser, ensuring that no information is sent to the domain (and optionally subdomains too), even if the user attempts to navigate to a HTTP page. This additionally mitigates the risk of cookies without the "secure" flag set, by enforcing all traffic is HTTPS only.
Continue Reading
CSRF: Cross-site Request Forgery
Published: 06 August 2021 Last Updated: 05 July 2023
Often abbreviated to CSRF and often pronounced as “Sea-Surf” is an attack against a Web Application that abuses an application’s trust in the user. A threat actor’s aim is to cause a function to execute on the application using the user’s authentication credentials simply by causing the user’s browser to request that function in the normal way, but from a malicious site.
For example, a user navigates to a malicious site and this site in turn sends a request to the vulnerable function on the vulnerable web site. This is where “Cross-site” comes from, it is a malicious site sending a request to the vulnerable site.
Continue Reading
IDOR: Insecure Direct Object Reference
Published: 06 August 2021 Last Updated: 03 July 2023
In my experience Insecure Direct Object Reference is one of the least well known vulnerabilities out there, but it’s a very simply issue to explain. It’s a vulnerability that generally leads to loss of confidential data but can result in the less of modification of data too.
Continue Reading
HTTP Header Injection
Published: 06 August 2021 Last Updated: 05 July 2023
HTTP Header Injection vulnerabilities occur when user input is insecurely included within server responses headers. Specifically they are based around the idea that a threat actor can cause the server to generate a response which includes carriage-return and line-feed characters (or %0D and %0A respectively in their URI encoded forms) within the server response header the attacker may be able to add crafted headers themselves. Header Injection can allow for attacks such as response splitting, session fixation, cross-site scripting, and malicious redirection.
Continue Reading
HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities
Published: 06 August 2021 Last Updated: 03 July 2023
HTML5 PostMessages (also known as: Web Messaging, or Cross Domain Messaging) is a method of passing arbitrary data between domains. However if not implemented correctly it can lead to sensitive information disclosure or cross-site scripting vulnerabilities as it leaves origin validation up to the developer!
Continue Reading
HTML5: Cross Origin Resource Sharing (CORS) Vulnerabilities
Published: 06 August 2021 Last Updated: 05 July 2023
So by default SOP won’t allow bi-directional communications between two separate origins, however as applications scale up there may be a requirement to allow this kind of thing. Think of companies such as Google, who also owns YouTube – or Microsoft who also owns Outlook and Skype. They may well want inter-origin communications.
Continue Reading
Exploiting Path Traversal
Published: 07 June 2021 Last Updated: 05 July 2023
Path Traversal, also known as Directory Traversal, is a vulnerability where a user can alter a path used by an application. For file retrieval functionality this can allow an attacker to access files that are not intentionally disclosed. For file upload functionality this can allow for website defacement, code execution and stored cross-site scripting attacks.
Continue Reading
Exploiting SQL Injection with Sqlmap
Published: 07 June 2021 Last Updated: 03 July 2023
We've previously posted about manually finding and exploiting SQL injection vulnerabilities. However one of the reasons SQL Injection is such a high risk vulnerability overall if due to the fact that exploitation can often be entirely automated. One tool for exploiting this vulnerability is sqlmap. From the point of view of security testers, SQL Injection can be time consuming to exploit, especially with slow extraction methods such as Time-based blind. However by automating exploitation can allow security testers to demonstrate the issue risk whilst freeing up time to check other areas of the assessment scope.
Continue Reading