Subdomain Hijcking – Notes links & tools

I had previously read about Subdomain hijacking, but in all honesty I didn’t really “get it”. All that changed starting with this Security Fest talk by Frans Rosén entitled: DNS hijacking using cloud providers: Or more accurately I really started to get this going through Frans’s slides of the talk: I don’t want to explain the premise of this to you as it’s one of those you have to investigate yourself to really get to grips with it. But what I will do to (hopefully) bring your learning time down is detail below all of the links Frans mentions plus those from my Read More

Climbing Mount WebAppSec – Chrome Extensions

As we move “client-side” browsers are evermore important as they effectively become our operating system – Chromebook for example. Many of the tasks we undertake were traditionally hosted inside the operating system but are now accessed via the browser – email and document processing being the prime examples. As a consequence browser security has become critical. In order to extend our browser functionality we are dependent on 3rd party extensions. It is vital we check the privileges granted these extensions as they often demand unnecessary invasive access. To give an example, I recently needed an simple PDF viewer Chrome extension and noted the Read More

Climbing Mount WebAppSec – Discovering Directories & Files with ZAP

This is the second part of my mini-series on “Domain Discovery”. The first part is here. Following Jason Haddix’s Bug Hunters Methodology I’m at phase three: Mapping Discovering the domain falls into two parts. The first to the left of the domain (subdomains) and the second to the right of the domain (Directories/Files). In this post I will cover directories/files. As with subdomains the premise in discovering directories/files is to firstly enlarge the attack surface and in the process find some easier wins. Directories and files may be forgotten in the mists of time, or may be part of the website admin/functionality the Read More

OWASP Juice Shop Vulnerable Webapp

A couple of weeks ago Björn Kimminich released the Juice Shop Vulnerable Web Application at the OWASP AppSec Europe conference in Belfast. Why another vulnerable webapp for target practice? This from Github: Main Selling Points: Easy-to-install: Choose between node.js, Docker and Vagrant to run on Windows/Mac/Linux Self-contained: Additional dependencies are pre-packaged or will be resolved and downloaded automatically Self-healing: The simple SQLite database is wiped and regenerated from scratch on every server startup Gamification: The application notifies you on solved challenges and keeps track of successfully exploited vulnerabilities on a Score Board CTF-support: Challenge notifications optionally show a flag code for your Read More

Climbing Mount WebAppSec – ZAP Directory Traversal

Whilst reading OWASP Testing Guide v4 I came across the section on testing for directory travseral and noted the “tools” at the bottom. Wfuzz and Dirbuster (the latter now incorporated into ZAP) I know about and will be dealing with in an upcoming “Discovering directories/files”. This left DotDotPwn and ZAP (Zed Attack Proxy) itself. Interestingly, DotDotPwn is incorporated into TrustedSec’s Penetrations Testers Toolkit (blogged about here) under “vulnerability-analysis“. So, quick and easy for me to fire up the tool and unleash it – however – I immediately hit a brick wall with URL’s not responding? It transpires this tool cannot easily handle HTTPS without a fair Read More

RUAG Breach – A lesson in cyber espionage tradecraft tools & techniques

Following a successful data breach of Swiss defense contractor RUAG – specialising in aerospace technology – the Swiss Governmental Computer Emergency Response Team (GovCERT) took the unusual step of publishing a comprehensive data breach report. The reasons given for publishing the report: …to give organizations the chance to check their networks for similar infections, and to show the modus operandi of the attacker group. You can download the summary technical report here (PDF) – 2 pages And the full espionage report here (PDF) – 34 Pages If the full report is a little TL;DR for your time or taste – or even Read More

Now that’s what I call a Hacker

I have to blog this, it’s hilarious and genius: Here’s an excerpt: xxx: OK, so, our build engineer has left for another company. The dude was literally living inside the terminal. You know, that type of a guy who loves Vim, creates diagrams in Dot and writes wiki-posts in Markdown… If something – anything – requires more than 90 seconds of his time, he writes a script to automate that. xxx: So we’re sitting here, looking through his, uhm, “legacy” xxx: You’re gonna love this [….] xxx: kumar-asshole.sh – scans the inbox for emails from “Kumar” (a DBA at our clients). Looks Read More