Tag Archives: security

Are we there yet?

Thereโ€™s this constant debate when it comes to applications. Is open source software more secure than proprietary software? Is it the other way round? In a nutshell, my point on the topic is that this comparison is wrong and the metrics are wrong as well. The amount of facts we have is not enough to make a comparison. Continue reading

From Leviathan 6 to Leviathan 7

Another CTF post, but this time, this is not a walkthrough.
There are some nice CTFs hosted hereย that I always forgot to play. The following post is about different approaches and obviously it is meant for newcomers. I am pretty sure that an experienced CTF player came up already with my solution.
Continue reading

n00bs CTF Lab write-up

Infosec Institute launched a CTF challenge some days ago. Due to a lot of free time, I decided to take a look and have some fun.

Continue reading

Bypassing XSS Auditor in Google Chrome

I was playing around with a site belonging to the fellow writer blacktom, who also posts stuff in this blog. Anyway, blacktom developed this particular site about 7-8 years ago and did a classic mistake, no bad feelings ๐Ÿ™‚ , he used encoding where he should have used encryption.

Successful exploitation of the flaw would result in a reflected XSS transported via the URL (GET method). Although this flaw could lead to more serious things (remember, PHP uses a problematic function to decode base64 which could lead to remote shells etc), I just stored somewhere the URL, actually I have a bunch of .txt files with vuln sites that I found from time to time.

Anyway, a long time ago I stopped using Chrome when I was pentesting, because of the Firefox plugins that allowed a significant extension of the features. Also, Chrome didn’t allow testing for XSS vulnerabilities. Being lucky, I opened blacktom’s vuln app with Chrome and an alert stating XSS popped. Long story short, I tried a various combinations which all worked. So, bypassing XSS auditor is possible in another way, remember the <svg> tags allowing bypassing too.

I went on , trying document.cookie, AJAX to this server and all worked fine. I assumed that Chrome offers no auditing inside base64 encoded data for XSS. I filed a security bug about this, in which I will come back later. Anyway, thing is you can bypass XSS Auditor in Chrome using base64 encoding wherever this is allowed by the under attack web page ๐Ÿ™‚

Back to the security bug, this is not the first time I find a security bug in a software and I file a report, but it is the first time that within a few hours I had a response, immediate, clear and thankful, from the developers. I had vulnerabilities(commonly called 0days, btw this is not a 0day ๐Ÿ˜› ) before in major web applications and social networking sites and either they didn’t respond or even worse, their team couldn’t go further than TRUE or FALSE given the vulnerable variable and a classic, for example SQLi string.

So, Congratulations for the response and the product to all the guys behind chrome ๐Ÿ™‚

File Inclusions with SQL.

Last time I posted something technical was aboutย SQL injection . I described how to identify a vulnerable parameter and how to exploit it manually, it is possible to use something FREE like sqlmap or other free or commercial products.

This time we are going to talk about Local File Inclusion and Remote File Inclusion. So, what is file inclusion?
Continue reading

SQL Cheatsheets

I suppose you have already read this .

When I was writing the post “SQL injections” I mentioned that I didn’t know some MsSQL reserved words. This time I have some cheatsheets mostly from darkc0de but you can find everything on the web too. Remember “A dumb asks questions, a smart asks google first” ๐Ÿ™‚ Continue reading

Browser history cache

Let’s say you want to get data from a box but there’s no shell (remember “Where there is a shell, there is a way-Unix” ๐Ÿ™‚ ) or there is no alternative option to collect information about a user. Well, there is, now you have this.

This is a proof-of-concept code by Zalewski, a Google Security Researcher

I tried it and worked both in Opera and Chrome, Firefox with NoScript add on failed (obvious). Firefox without NoScript worked well enough.

Hopefully, I’ll comment more about this exploit sometime later ๐Ÿ™‚

Have fun reading the PoC code ๐Ÿ™‚

SQL injections

Databases are pieces of software that allow massive storage of data in a structured-by-the-developer order. All this data can be easily accessed using SQL language. The data can be anything, from text, personal identification number, credit card numbers or even files in certain cases. The success of those databases is that anyone with the proper authorization can access the data both fast and easily. The access is achieved by SQL. SQL stands for Structured Query Language. Continue reading