Burp Suite vs CSRF Tokens: CSRFTEI

I wrote a very simple burp extension that can pull a token a CSRF token out of a response and update the next request with that token. It’s designed to be a simple as possible so it works for my lesson on writing burp extensions and if you’re lucky then all you need to do is update the script with the name of the token your target application uses and you’re good to go but it’s designed to be as easy to tweak to your needs as possible. I also wrote about how to install custom extensions here if you’ve …

Read More

Web Application Defense: Filtering User Input

Effectively filtering user input is one of the best ways to prevent an awful lot of web application vulnerabilities. There are several ways to approach this, each with their own pros and cons so I’ll run through them here an then you can think of the best way to combine them for your context. It’s important to remember though, that filters are context specific, there is not one filter that will work for a whole application and that’s what can make writing an effective filter tricky.

Read More

Burp Macros: Automatic Re-authentication

During a recent penetration test I came up against a security feature that would invalidate my session whilst I was fuzzing if it saw simple attack strings, so if I used <script> anywhere then it’d kill my session. Most frustrating! Especially as it essentially prevented the use of tools such as Burp’s Active Scanner and it made using Repeater inconvenient too. So I quickly threw together a Burp Macro to handle automatic re-authentication for me and went back to fuzzing! So here’s how to do that!

Read More

PrivEsc: Stealing Windows Access Tokens – Incognito

If an attacker is able to get SYSTEM level access to a workstation, for example by compromising a local administrator account, and a Domain Administrator account is logged in to that machine then it may be possible for the attacker to simply read the administrator’s access token in memory and steal it to allow them to impersonate that account. There’s a tool available to do this, it’s called Incognito.

Read More

Custom Rules for John the Ripper

Whilst Hashcat is often provable faster than John the Ripper, John is still my favourite. I find it simple to use, fast and the jumbo community patch (which I recommend highly) comes packed with hash types making it a versatile tool. One of the features of these tools, which is often unknown or at least under appreciated is the ability to create custom “rules” for teaching the tool how to dynamically generate potential passwords. Since Microsoft implemented “Password Complexity” and this was enforced around the globe, user have made the jump from a password of: password, to the [sarcasm] much …

Read More