Tag: attack

Advanced sqlmap features – eval

I was always sad when I couldn’t use sqlmap when the injection was not very simple. Of course I always expected that to be my fault, that I didn’t spent enough time to configure sqlmap properly. So the other day when I tested an application and found an sql injection which was a pain in the neck to exploit manually, I rolled up my sleeves and started to look at source code of sqlmap to figure out some parameters which I never knew what they did. This blog post is about the --eval parameter which allows you to manipulate the requests before sending them.
Continue reading

CORS: Attacker Model

I am preparing myself for the Hacktivity conference in Budapest, where I am gonna talk about the security of the Cross-Origin Resource Sharing (CORS). As part of the preparation I will summarise my thoughts in a couple of blog posts.

To start off with I will describe the potential attackers who could try to use CORS in their attacks and I will build an attacker model.
Continue reading

Stack Adjustment by hand

When you are developing an exploit and you have very limited space for your payload you might need to adjust the stack to be able to use staged exploits. The problem, in case of a multi-stage payload, is that when the first stage that you send in your exploit payload starts to download the second stage, the stack pointer (ESP) might point to a place which is not far enough from the first stage in the memory; hence, the second stage might corrupt the code that you are executing. Stack adjustment is a technique that tries to solve this problem by setting the ESP to create more space for the second stage.
Continue reading

Here it is, the file upload CSRF

Recently I wanted to do a Cross Site Request Forgery Proof-of-Concept for a file upload functionality. As you might know it is not necessarily as easy as simple form CSRFs. Continue reading

SoapUI with Burp

In a recent project I tested a web service and we got a nice SoupUI project for it. SoupUI is a great tool but you somehow miss the nice features of Burp, such as the Intruder. But of course the idea comes immediately: why not to chain them? It turns out this is not as trivial as it seems for the first sight.
Continue reading

Shellcode wrapper for Linux

This post is about how to create Linux binary executable shellcodes using msfpayload.

Continue reading

Please, don’t use user supplied XSLT

I didn’t even want to write about this, because hopefully it is not a wide spread problem but it is such a catastrophic programming mistake which I saw in a production system that I felt the need to talk about it. So to summarize this blog post in one sentence: total client-side exploit using user defined XSLT.

Continue reading

Tricking the XML parser

Nowadays there are numerous web application frameworks to implement a rich web application. I have already written about one of them. These frameworks usually use AJAX and XmlHttpRequests filled with either XML or JSON. In this post I will write about the XML part. In that case the first step is always to fight with the XML parser on the server-side.
Continue reading

Revenge of XHTML

My colleague brought my attention to a really interesting ‘feature’ of browsers. Namely that XHTML namespaces in an XML document will be rendered as XHTML instead of XML. That means that if you can some way control an XML that will be rendered by the target’s browser, then you can insert HTML and of course JavaScript code. So this feature widens an XML injection to an endless attack vector.
Continue reading

Denial-of-Money attack

You could have read about a new interesting attack vector. It got the cool name of the Denail-of-Money attack. The first published case (which was actually an accident) was happened with an Associate Professor at Leonard N. Stern School of Business of New York University called Panos Ipeirotis.

His story in nutshell is that he made himself a more then $1700 Amazon AWS bill in a couple of hours. The root cause of the problem was that he shared 250 GB images in an S3 bucket. He used the thumbnails of these images in a Google spreadsheet. As it turned out Google in this case doesn’t cache content because it is considered private. Instead of caching Google simply downloaded all the 250GB every hour which costed a huge amount of money(although at the end Amazon refunded it).
Continue reading

© 2017 Æther Security Lab

Theme by Anders NorenUp ↑