Climbing Mount WebAppSec – Discovering Directories & Files with Wfuzz

This is the second part of my mini-series on “Domain Discovery”. The first part is here. Following Jason Haddix’s Bug Hunters Methodology I’m at phase three: Mapping Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover directories/files. As with subdomains the premise in discovering directories/files is to firstly enlarge the attack surface and in the process find some easier wins. Directories and files may be forgotten in the mists of time, or may be part of the website admin/functionality the Read More

Climbing Mount WebAppSec – ZAP Directory Traversal

Whilst reading OWASP Testing Guide v4 I came across the section on testing for directory travseral and noted the “tools” at the bottom. Wfuzz and Dirbuster (the latter now incorporated into ZAP) I know about and will be dealing with in an upcoming “Discovering directories/files”. This left DotDotPwn and ZAP (Zed Attack Proxy) itself. Interestingly, DotDotPwn is incorporated into TrustedSec’s Penetrations Testers Toolkit (blogged about here) under “vulnerability-analysis“. So, quick and easy for me to fire up the tool and unleash it – however – I immediately hit a brick wall with URL’s not responding? It transpires this tool cannot easily handle HTTPS without a fair Read More

Climbing Mount WebAppSec – Discovering Subdomains

Following Jason Haddix’s Bug Hunters Methodology I’m at phase two: Discovery. Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover subdomains. The premise in discovering subdomains is to firstly enlarge the attack surface and in the process find some easier wins. Subdomains may be forgotten in the mists of time; for example, originally set up for testing purposes, or a myriad other reasons that make them of interest to us. There’s a lot of solid tools out there Read More

Climbing Mount WebAppSec

Recently I have become somewhat obsessed with Web Application Security (WebAppSec) sparked in part by coming into contact with Detectify’s Lab blog posts and also the news that the UK – via the NCSC and in tandem with Luta Security – will be running a “Vulnerability Co-ordination Pilot“. As WebAppSec is a not an field I have devoted any great length of time to in the past, I am starting out on this journey as a relative novice. As such, I have decided to chart my progress and learning for anybody else that may be interested. I will consider this climb accomplished Read More

RUAG Breach – A lesson in cyber espionage tradecraft tools & techniques

Following a successful data breach of Swiss defense contractor RUAG – specialising in aerospace technology – the Swiss Governmental Computer Emergency Response Team (GovCERT) took the unusual step of publishing a comprehensive data breach report. The reasons given for publishing the report: …to give organizations the chance to check their networks for similar infections, and to show the modus operandi of the attacker group. You can download the summary technical report here (PDF) – 2 pages And the full espionage report here (PDF) – 34 Pages If the full report is a little TL;DR for your time or taste – or even Read More

GDPR – The Right To Be Forgotten

In light of recent headlines purporting our ‘Right to be Forgotten’ is newly enshrined in the General Data Protection regulation (GDPR) I thought I’d take a closer look. The ‘right to be forgotten’ actually has its roots in the 1995 Data Protection Directive: Article 12 Right of access Member States shall guarantee every data subject the right to obtain from the controller: (b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data; This Article (among others) was Read More

GDPR – Profiling – A Quick Overview

Although the 1995 Data Protection Directive included the right for people not to be subject to decisions based solely on automatic processing of data, the term “Profiling” was not legally defined. “Profiling” makes an appearance twenty three times in the new General Data Protection Regulation (GDPR) and its importance is no doubt a response to the advances in Big Data Predictive Analysis. Article 4 defines “profiling” thusly: (4) ‘profiling’ means any form of automated processing of personal data consisting of the use of personal data to evaluate certain personal aspects relating to a natural person, in particular to analyse or predict Read More

UK Cyber Security Breaches Survey 2016 – Some Quick Stats

The UK government has just published the Cyber Security Breaches Survey 2016 (PDF here). Commissioned by the Department for Culture, Media and Sport, as part of the National Cyber Security Programme. It was carried out by Ipsos MORI, in partnership with the Institute for Criminal Justice Studies at the University of Portsmouth, and comprised: ▪ a representative telephone survey of 1,008 UK businesses from 30 November 2015 to 5 February 2016 ▪ a total of 30 in-depth interviews undertaken in January and February 2016 to follow up businesses that Here’s some pertinent stats lifted from the report: (69%) say cyber security is either Read More

#GDPR – You have two years to comply

After four years of discussions – and no doubt many head-desk moments – the Official Journal of the European Union has published the General Data Protection Regulation (GDPR). This replaces the 1995 Data Protection Directive. The distinction between “Regulation” and “Directive” is an important one. The previous directive was just that – a document to direct EU member states in the formation of national legislation pertaining to data protection. The regulation differs in that it is directly applicable to all member states without the need for legislation on a national level. Although there remains a small degree of latitude on certain matters for individual states, Read More

The normalisation of biometric authentication

The ‘problem with passwords’ is well documented and grows more acute as traditional network boundaries are blurred with the adoption of mobile devices. As a result, the imperative to counter user impersonation and prove authentication on endpoint devices has never been so critical. Traditionally, biometric solutions have not been widely adopted because of complexity, interoperability, credential storage, spoofing, false failures, flawed technology and perceived intrusiveness. Compounding this, high-profile biometric breaches such as the one that hit the OPM have naturally led the public to ask again “Quis custodiet ipsos custodes?”, and no less because if their card is compromised, they can Read More