JSONP Vulnerabilities

Same Origin Policy (SOP) is a key security mechanism within the browser that I’ve written about previously. In short, it prevents applications at different origins from interacting with each other. An origin is defined as the domain name, application protocol, and port number. There are now features in HTML5 that allow cross origin communication called Cross Origin Resource Sharing and Cross Domain Messaging (postMessage) which addresses the possible business need for cross origin sharing, however before this a workaround was developed called JavaScript Serialised Object Notation with Padding (JSONP).

Read More

Data Breaches and Stock Prices

When talking to companies about the effects of hacking and data breaches I often talk to companies about the effect on stock prices and the potential for brand damage – but, does a security breach really cause a noticeable effect on share prices? Incidentally I was recently working on a script to pull historical stock data for companies at specific dates. So I figured I’d test drive the new script and pull some historic data for companies immediately following a breach, to show the ultra-short term affect on their share price. So I offer my raw data here without analysis and …

Read More

PrivEsc: Group Policy Preference Passwords

Group Policy Preferences (GPP) was an addition to Group Policy to extend its capabilities to, among other things, allow an administrator to configure: local administrator accounts (including their name and password), services or schedule tasks (including credentials to run as), and mount network drives when a user logs in (including connecting with alternative credentials). GPP are distributed just like normal group policy, meaning that an XML file is stored in the SYSLVOL share of the domain controllers and when a user logs in their system queries the share and pulls down the policy. This essentially means that a share exists …

Read More

Bypass RPC Portmapper Filtering

Portmapper is a registry of Remote Procedure Call services including RPC Services number, version number, TCP/UDP port and protocol. It generally runs on port 111 TCP/UDP. When a client wishes to connect to a service they first connect to the Portmapper, an administrator may filter this port beliving that it will prevent an attacker connecting to services offered, however this is not the case as an attacker may replicate the portmapper locally and proxy requests to the target machine.

Read More

Enumerating Unix Remote Procedure Call (RPC) Services

Several interesting unix daemons, such as Network Information Service+, Network File System, and Common Desktop Environment, run as RPC services on dynamically assigned high ports. Theportmapper service (aka rpcbind) runs on port TCP/UDP 111 or 32771 and can be queried using rpcinfo to discover the available services and their port number. The nmap documentation states that if portmapper is filtered, services can be identified directly using an nmap scan of high port ranges (TCP/UDP 32771-34000). RPC Grinding scan is done as part of an aggressive scan (-A) or can be called explicitly with -sR. Attempting to connect to an RPC service when portmapper is …

Read More

Command Injection: The Good, the Bad and the Blind

Command Injection vulnerabilities are a class of application security issue where an attacker can cause the application to execute an underlying operating system command. For that reason it’s generally a high impact issue. It can be exploited simply by chaining commands along with the expected input by using shell control characters such as: ` & or | Developers have a variety of reasons why they might want their web applications to execute underlying operating system commands. One example could be an application that allows a user to check if a host is online by pinging its IP address. The URL for …

Read More

Burp Suite vs CSRF Tokens: Round Two

So recently I wrote about writing burp extensions and I taught this through writing an extension to deal with CSRF tokens that are in each page, so as you navigate the site or fuzz a function you have to extract a token from each page to include it in the next request. That’s not the only way to implement tokens though, and today I came across “the other way” during a Penetration Test so modified my original code and figured I’d share this version too!

Read More