Categories
Web Application Security

ClickJacking and JavaScript KeyLogging in Iframes

This week I was asked some specific questions about the security of iframes. The questions came about from a PCI standpoint, for stores that use fully outsourced iframes for taking payment.

The question was effectively, if an attacker can inject JavaScript into the framing (store) page, what effect can they have on the security of the site and the payment page.

Short answer: The attacks are very limited.

Long answer:

Categories
Web Application Security

Winning the Popularity Contest

Recently I took a look at a new social media/dating website and noticed an interesting feature – the site had a sort of “popularity contest” of sorts which runs every 30 days. Users vote on other users, scoring them out of 10 and whoever gets the most points wins their place at the top of the highscore table as officially the “Hottest Member”. So naturally I wanted to win!

Categories
Infrastructure Web Application Security

Vulnerability Assessments vs Penetration Tests

I occasionally see the terms Vulnerability Assessment and Penetration Test used interchangeably, or worse, phrases such as “Automated Penetration Test” – something that really pains me, as there are very distinct types of assessment. In this article I’d like to show the distinctions between the different types of assessment. Setting aside any argument of specific terminology, I aim to explain the different approaches that can be taken and the aims of each – regardless of what you choose to call them. I aim to assist companies engage with their security assessment providers to ensure that the service they’re getting is what they are expecting and so that they are aware of the alternatives.

Categories
Web Application Security

Cross-site Scripting (XSS): Life After the Alert Box

This is an advanced Cross-site Scripting (XSS) post, if you’re new to XSS maybe try this one first: What is Cross-site Scripting?

During Penetration Tests I often see testers utilising Cross-site Scripting attacks, popping an alert(1) and stopping there; additionally looking through the payloads used by other testers I often find one area missing. So if you’re a tester, think of the payloads that you deploy and think how you are testing for the type of vulnerability described below:

Categories
Web Application Security

SQL Injection: Out-of-Band Exploitation

This is an advanced SQL Injection (SQLi) post, if you’re new to SQLi maybe try this one first: Basics and Defence

Recently I had a fairly slow Time-Based SQL injection vulnerability, meaning that I could only pull a single character at a time with SQLmap and each character took around 10 seconds to retrieve. An alternative approach in this situation is to use out-of-band retrieval.  This is a concept that can be used when exploiting lots of vulnerabilities such as SQL Injection, Command Injection, Cross-site Scripting and XML External Entity Injection.

The idea is fairly simple, instead of capturing the data you would like to retrieve and extracting it through Boolean-logic you can request the system to transmit the data over a protocol such as HTTP, SMB or DNS.

Categories
Web Application Security

Hacking Web Applications:

Getting Root Access to Web Servers

I’ve written previously about How To Become a Penetration Tester, listing things that employers would like to see out of potential junior testers. I’ve written an awful lot about many web application vulnerabilities like Cross-site Scripting and Directory Traversal; I’ve even written about the methodology behind External Penetration Testing. However – until now I’ve not tied all of the little pieces together. Plus, one of the biggest things on the list of desirables for a junior testers CV is practise.

Categories
Web Application Security

Introduction to Content Security Policy

Content Security Policy (CSP) is a built-in protection mechanism in web browsers that allows you to specify trusted sources for content such as JavaScript and allows you to block inline incudes. It can effectively stop attacks such as Cross-site Scripting and ClickJacking.

The settings are configured server side and given to the web browser via a server response header, the “Content-Security-Policy” header, here’s a simple example of one of these headers:

Content-Security-Policy: script-src 'self'; object-src 'self'
Categories
Web Application Security

SQL Injection Filter Evasion with Sqlmap

Whenever I find a SQL injection vulnerability I always throw sqlmap at the injection point. It’s a simple, easy to use tools that will not only prove the vulnerability but allow you to extract data, gain command execution, and generally push further on with your penetration test. If I come across a filter or a web application firewall then I’ll habitually break out Burp Suite and start working on filter evasion manually, however there’s often a simpler way.

Categories
Web Application Security

VulnVM

Graceful’s VulnVM is web application running on a virtual machine, it’s designed to simulate a simple eCommerce style website which is purposely vulnerable to a number of well know security issues commonly seen in web applications. This is really a pre-release preview of the project but it’s certainly functional as it stands, but I’m planning on doing a lot of work on this in the near future.

The plan is ultimately to have the application vulnerable to a large number of issues with a selection of different filters at different difficulties that way the as testers become better at detecting and exploiting issues the application can get hardened against common exploitation methods to allow the testers a wider ranger of experiences.

The first filters have now been implemented! The application now supports “levels” where Level 1 includes no real filtration of user input and Level 2 includes a simple filter for each vulnerable function.

The Virtual Machine is available for download here, in a 7 Zip archive. 
Version 0.0.5
900MB.

Currently it’s vulnerable to:
SQL Injection (Error-based)
SQL Injection (Blind)
Reflected Cross-Site Scripting
Stored Cross-Site Scripting
Insecure Direct-Object Reference
Username Enumeration
Path Traversal
Exposed phpinfo()
Exposed Administrative Interface
Weak Admin Credentials
Command Injection (Blind)
Command Injection (Non-blind)
Privilege Escalation

Extracting the Virtual Machine

Install p7zip to unzip *.7z files on Fedora:

sudo dnf install p7zip

Install p7zip to unzip *.7z files on Debian and Ubuntu:

sudo apt-get install p7zip

Extract the archive:

7z x Seattle-0.0.3.7z

Then you can simply start up the virtual machine using Virtual Box! The root user account has a password of PASSWORD

Categories
Web Application Security

Introduction to Directory Traversal

Directory Traversal, or path traversal, is a vulnerability in web applications that can allow an attacker to access files which they should not be able to. Such as files outside of the application web root.