Subdomain Hijcking – Notes links & tools

I had previously read about Subdomain hijacking, but in all honesty I didn’t really “get it”. All that changed starting with this Security Fest talk by Frans Rosén entitled: DNS hijacking using cloud providers: Or more accurately I really started to get this going through Frans’s slides of the talk: I don’t want to explain the premise of this to you as it’s one of those you have to investigate yourself to really get to grips with it. But what I will do to (hopefully) bring your learning time down is detail below all of the links Frans mentions plus those from my Read More

Climbing Mount WebAppSec – Chrome Extensions

As we move “client-side” browsers are evermore important as they effectively become our operating system – Chromebook for example. Many of the tasks we undertake were traditionally hosted inside the operating system but are now accessed via the browser – email and document processing being the prime examples. As a consequence browser security has become critical. In order to extend our browser functionality we are dependent on 3rd party extensions. It is vital we check the privileges granted these extensions as they often demand unnecessary invasive access. To give an example, I recently needed an simple PDF viewer Chrome extension and noted the Read More

OWASP Juice Shop Vulnerable Webapp

A couple of weeks ago Björn Kimminich released the Juice Shop Vulnerable Web Application at the OWASP AppSec Europe conference in Belfast. Why another vulnerable webapp for target practice? This from Github: Main Selling Points: Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board CTF-support: Challenge notifications optionally show a flag code for your Read More

Climbing Mount WebAppSec – Discovering Directories & Files with Wfuzz

This is the second part of my mini-series on “Domain Discovery”. The first part is here. Following Jason Haddix’s Bug Hunters Methodology I’m at phase three: Mapping Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover directories/files. As with subdomains the premise in discovering directories/files is to firstly enlarge the attack surface and in the process find some easier wins. Directories and files may be forgotten in the mists of time, or may be part of the website admin/functionality the Read More

Climbing Mount WebAppSec – ZAP Directory Traversal

Whilst reading OWASP Testing Guide v4 I came across the section on testing for directory travseral and noted the “tools” at the bottom. Wfuzz and Dirbuster (the latter now incorporated into ZAP) I know about and will be dealing with in an upcoming “Discovering directories/files”. This left DotDotPwn and ZAP (Zed Attack Proxy) itself. Interestingly, DotDotPwn is incorporated into TrustedSec’s Penetrations Testers Toolkit (blogged about here) under “vulnerability-analysis“. So, quick and easy for me to fire up the tool and unleash it – however – I immediately hit a brick wall with URL’s not responding? It transpires this tool cannot easily handle HTTPS without a fair Read More

Climbing Mount WebAppSec – Discovering Subdomains

Following Jason Haddix’s Bug Hunters Methodology I’m at phase two: Discovery. Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover subdomains. The premise in discovering subdomains is to firstly enlarge the attack surface and in the process find some easier wins. Subdomains may be forgotten in the mists of time; for example, originally set up for testing purposes, or a myriad other reasons that make them of interest to us. There’s a lot of solid tools out there Read More

Climbing Mount WebAppSec

Recently I have become somewhat obsessed with Web Application Security (WebAppSec) sparked in part by coming into contact with Detectify’s Lab blog posts and also the news that the UK – via the NCSC and in tandem with Luta Security – will be running a “Vulnerability Co-ordination Pilot“. As WebAppSec is a not an field I have devoted any great length of time to in the past, I am starting out on this journey as a relative novice. As such, I have decided to chart my progress and learning for anybody else that may be interested. I will consider this climb accomplished Read More