Categories
Infrastructure

Bypass RPC Portmapper Filtering

Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP.

When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.

Categories
Infrastructure

Enumerating Unix Remote Procedure Call (RPC) Services

Several interesting unix daemons, such as Network Information Service+, Network File System, and Common Desktop Environment, run as RPC services on dynamically assigned high ports. Theportmapper service (aka rpcbind) runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port number.

The nmap documentation states that if portmapper is filtered, services can be identified directly using an nmap scan of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be called explicitly with -sR.

Attempting to connect to an RPC service when portmapper is filtered will result in an error similar to “RPC: Port mapper failure RPC: Unable to receive.” To work around this issue it is possible to create a local RPC portmapper and proxy the RPC endpoint connections through to the remote server

Categories
Web Application Security

HTML5: Cross Domain Messaging (PostMessage) Vulnerabilities

HTML5 PostMessages (also known as: Web Messaging, or Cross Domain Messaging) is a method of passing arbitrary data between domains. However if not implemented correctly it can lead to sensitive information disclosure or cross-site scripting vulnerabilities as it leaves origin validation up to the developer!

Categories
Web Application Security

Command Injection: The Good, the Bad and the Blind

Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. For that reason it’s generally a high impact issue. It can be exploited simply by chaining commands along with the expected input by using shell control characters such as:

 ` & or |


Developers have a variety of reasons why they might want their web applications to execute underlying operating system commands. One example could be an application that allows a user to check if a host is online by pinging its IP address. The URL for this function could look something like this:

Categories
Web Application Security

Burp Suite vs CSRF Tokens: Round Two

So recently I wrote about writing burp extensions and I taught this through writing an extension to deal with CSRF tokens that are in each page, so as you navigate the site or fuzz a function you have to extract a token from each page to include it in the next request.

That’s not the only way to implement tokens though, and today I came across “the other way” during a Penetration Test so modified my original code and figured I’d share this version too!

Categories
Web Application Security

Burp Suite vs CSRF Tokens Part 2: CSRFTEI for Remote Tokens

The following is a version of my CSRF Extractor Burp Extension that works for remote tokens, the original sequential tokens version is available here. The following code is explained here.

Categories
Web Application Security

Burp Suite vs CSRF Tokens

Recently I wrote a quick HowTo about dealing with using Burp Suite against an application that invalidates your session whenever it spots a potential malicious payload. I wrote that a Burp Macro that can perform Automatic Reauthentication can overcome that issue. Another common issue that gets in the way of performing penetration tests against mobile applications is having to deal with anti cross-site request forgery tokens. These are tokens that an application embeds in a response and expects to see in the body of the subsequent request, if the token is ever missing or incorrect the request is ignored. This interferes terribly with Burp Suite tools such as repeater, intruder and scanner as by default these don’t handle the tokens and therefore the requests are all ignored. I get around this issue through the use of simple custom burp extensions and I wanted to share some notes about how surprisingly simple this is!

Categories
Web Application Security

Burp Suite vs CSRF Tokens: CSRFTEI

I wrote a very simple burp extension that can pull a token a CSRF token out of a response and update the next request with that token. It’s designed to be a simple as possible so it works for my lesson on writing burp extensions and if you’re lucky then all you need to do is update the script with the name of the token your target application uses and you’re good to go but it’s designed to be as easy to tweak to your needs as possible. I also wrote about how to install custom extensions here if you’ve not done that before, just copy and paste the below code into a file called csrftei.py and load that file into burp! The code is all available below and should be nicely commented to explain how everything works:

Categories
Web Application Security

Web Application Defense: Filtering User Input

Effectively filtering user input is one of the best ways to prevent an awful lot of web application vulnerabilities. There are several ways to approach this, each with their own pros and cons so I’ll run through them here an then you can think of the best way to combine them for your context. It’s important to remember though, that filters are context specific, there is not one filter that will work for a whole application and that’s what can make writing an effective filter tricky.

Categories
Web Application Security

Burp Macros: Automatic Re-authentication

During a recent penetration test I came up against a security feature that would invalidate my session whilst I was fuzzing if it saw simple attack strings, so if I used <script> anywhere then it’d kill my session. Most frustrating! Especially as it essentially prevented the use of tools such as Burp’s Active Scanner and it made using Repeater inconvenient too. So I quickly threw together a Burp Macro to handle automatic re-authentication for me and went back to fuzzing!

So here’s how to do that!