Month: February 2020
-
Inter-process communication (IPC)
https://en.wikipedia.org/wiki/Inter-process_communication TIP: Authenticate once in IPC, no need to create a local account in Windows.
-
Exploit: XSS filename injection in Dropzone.js
https://stackoverflow.com/questions/39858211/security-how-to-prevent-xss-filename-injection-in-dropzone-js Web server must be using Linux In dropzone.js extension, it’s possible with a Linux system to rename a legit filename and execute it with special characters like :
-
Browser Storage (Local/Session/IndexedDB)
💡 Cookies are covered in Cookies Attributes. Local Storage Display local storage You usually cannot read local storage from other domains, unless some tricks involving iframes are used.
-
Web Messaging / Cross Document Messaging
Test Web Messaging (WSTG-CLNT-11)
-
Cross Site Flashing
Testing for Cross Site Flashing (WSTG-CLNT-08) Vulnerability with Adobe Flash.
-
Client-Side Resource Manipulation
Testing for Client-Side Resource Manipulation (WSTG-CLNT-06)
-
Application Mis-use
Test Defenses Against Application Mis-use (WSTG-BUSL-07)
-
Circumvention of Work Flows
Testing for the Circumvention of Work Flows (WSTG-BUSL-06)
-
Number of Times a Function Can be Used Limits
Test Number of Times a Function Can be Used Limits (WSTG-BUSL-05)
-
Process Timing
Test for Process Timing (WSTG-BUSL-04)
-
Integrity Checks
Test Integrity Checks (WSTG-BUSL-03)
-
Ability to Forge Requests
Forging requests is a method that attackers use to circumvent the front end GUI application to directly submit information for back end processing. The goal of the attacker is to send HTTP POST/GET requests through an intercepting proxy with data values that is not supported, guarded against or expected by the applications business logic.
-
Weak Encryption
Testing for Weak Encryption (WSTG-CRYP-04) BadSSL – examples
-
Sensitive Information Sent via Unencrypted Channels
Testing for Sensitive Information Sent via Unencrypted Channels (WSTG-CRYP-03)
-
HTTP Incoming Requests
Testing for HTTP Incoming Requests (WSTG-INPV-016)
-
HTTP Response Splitting / Web Cache Poisoning
💡 See labs WebSecurityAcademy (PortSwigger) – Web cache poisoning. 💡 See labs WebSecurityAcademy (PortSwigger) – HTTP request smuggling (Exploiting HTTP request smuggling to perform web cache poisoning). HTTP response splitting is a form of web application vulnerability, resulting from the failure of the application or its environment to properly sanitize input values. It can be…
-
Incubated vulnerability
Testing for Incubated vulnerability (WSTG-INPV-014) Incubated testing is a complex testing that needs more than one data validation vulnerability to work.
-
IMAP / SMTP Injection
This threat affects all the applications that communicate with mail servers (IMAP/SMTP), generally web mail applications. In IMAP/SMTP injection testing, testers check if it possible to inject arbitrary IMAP/SMTP commands into the mail servers, due to input data not properly sanitized. An IMAP/SMTP Injection attack breaks the following pattern: Input -> IMAP/SMTP command == IMAP/SMTP…
-
LDAP Injection
Testing for LDAP Injection (WSTG-INPV-06) Blackhat Europe (PDF) LDAP injection testing is similar to SQL Injection testing. The differences are that testers use the LDAP protocol instead of SQL and the target is an LDAP Server instead of a SQL Server. An LDAP Injection attack breaks the following pattern: Input -> Query LDAP == LDAP…
-
Social Media Enumeration
Social Mapper – Social media enumeration & correlation tool (facial recognition)
-
ssh_bruteforce.sh
If you get error “: Name or service not knownname” when running the script, execute dos2unix command on all your files (IPs.txt, creds, etc.)
-
Search Technical Information
Whois Whois – Website Whois Search, Registered information in public databases, Get DNS servers (Name Servers), email of the admin, Get names, physical addresses, phone numbers, email addresses, ip addresses, dns server names Reverse lookup Subdomains Use crt.sh (subdomains from certificates), sublist3r, GHDB. dnspop list of subdomains: https://github.com/bitquark/dnspop/tree/master/results Enumerate subdomains NOTE: This interacts with the target…
-
Publicly Available Information
Company web pages: search for documents (with GHDB), review the HTML source code for comments, get local copy with wget Related organizations Location details Employee information Inteltechniques TorScraper (Darknet) – GoSecure Useful search engines Need to cleanup this section 😉 Shodan – Search for devices connected to the internet. Wigle – Database of wireless networks, with…
-
Placeholder images for pentests
LoremFlickr.com – e.g. https://loremflickr.com/320/240/alpaca Place Kittens – e.g. http://placekitten.com/100/100 Dynamic Dummy Image Generator – e.g. https://dummyimage.com/100/ff6666&text=XSS https://loremipsum.io/21-of-the-best-placeholder-image-generators/ https://www.toptal.com/designers/subtlepatterns/ Free image stock Pixabay Use Tiny URL to shorten image links: https://tinyurl.com Insert images
-
Vulnerable Targets
Vulnerable Web Application Lab Vulnerable Targets Metasploitable 2 Lab Metasploitable 2 is an intentionally vulnerable Linux virtual machine.https://sourceforge.net/projects/metasploitable/files/Metasploitable2/The default login and password is msfadmin:msfadminNever expose this VM to an untrusted network (use NAT or Host-only mode if you have any questions what that means).Exploitation guide (with SPOILERS!): Download the metasploitable-linux-2.0.0.zip file. It includes Mutillidae. Fix…
-
Cisco Discovery Protocol (CDP)
Cisco Discovery Protocol (CDP) quick reference.
-
Exploit 47995: Sudo 1.8.25p – Buffer Overflow (CVE-2019-18634)
If pwfeedback is enabled in sudoers, the stack overflow may allow unprivileged users to escalate to the root account. https://www.exploit-db.com/exploits/47995 Check if server is vulnerable
-
URL Encoded Attacks
https://www.cgisecurity.com/lib/URLEmbeddedAttacks.html